Generalized ECS provider v2 (attempt 3) (#2953)

Author: mullermp

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
+
 3.187.1 (2023-11-20)
 ------------------
 

gems/aws-sdk-core/lib/aws-sdk-core/ecs_credentials.rb

@@ -6,7 +6,7 @@
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
-  # instances running in ECS.
+  # instances running in containers.
   #
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
@@ -17,6 +17,12 @@ class ECSCredentials
     # @api private
     class Non200Response < RuntimeError; end
 
+    # Raised when the token file cannot be read.
+    class TokenFileReadError < RuntimeError; end
+
+    # Raised when the token file is invalid.
+    class InvalidTokenError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -41,7 +47,7 @@ class Non200Response < RuntimeError; end
     #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
-    # @option options [String] :endpoint The ECS credential endpoint.
+    # @option options [String] :endpoint The container credential endpoint.
     #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
     #   environment variable. This value is ignored if `credential_path` or
     #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
@@ -64,7 +70,6 @@ def initialize(options = {})
       endpoint = options[:endpoint] ||
                  ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
       initialize_uri(options, credential_path, endpoint)
-      @authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
 
       @retries = options[:retries] || 5
       @http_open_timeout = options[:http_open_timeout] || 5
@@ -103,31 +108,43 @@ def initialize_relative_uri(options, path)
 
     def initialize_full_uri(endpoint)
       uri = URI.parse(endpoint)
+      validate_full_uri_scheme!(uri)
       validate_full_uri!(uri)
-      @host = uri.host
+      @host = uri.hostname
       @port = uri.port
       @scheme = uri.scheme
-      @credential_path = uri.path
+      @credential_path = uri.request_uri
+    end
+
+    def validate_full_uri_scheme!(full_uri)
+      return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
+
+      raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
     end
 
     # Validate that the full URI is using a loopback address if scheme is http.
     def validate_full_uri!(full_uri)
       return unless full_uri.scheme == 'http'
 
       begin
-        return if ip_loopback?(IPAddr.new(full_uri.host))
+        return if valid_ip_address?(IPAddr.new(full_uri.host))
       rescue IPAddr::InvalidAddressError
         addresses = Resolv.getaddresses(full_uri.host)
-        return if addresses.all? { |addr| ip_loopback?(IPAddr.new(addr)) }
+        return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
       end
 
       raise ArgumentError,
-            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
-            'address when using the http scheme.'
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
+            'or an ECS or EKS link-local address when using the http scheme.'
+    end
+
+    def valid_ip_address?(ip_address)
+      ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
     end
 
     # loopback? method is available in Ruby 2.5+
     # Replicate the logic here.
+    # loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
     def ip_loopback?(ip_address)
       case ip_address.family
       when Socket::AF_INET
@@ -139,6 +156,20 @@ def ip_loopback?(ip_address)
       end
     end
 
+    # Verify that the IP address is a link-local address from ECS or EKS.
+    # ECS container host (IPv4 `169.254.170.2`)
+    # EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
+    def ecs_or_eks_ip?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        [0xa9feaa02, 0xa9feaa17].include?(ip_address)
+      when Socket::AF_INET6
+        ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -174,10 +205,36 @@ def get_credentials
           http_get(conn, @credential_path)
         end
       end
+    rescue TokenFileReadError, InvalidTokenError
+      raise
     rescue StandardError
       '{}'
     end
 
+    def fetch_authorization_token
+      if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
+        fetch_authorization_token_file(path)
+      elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
+        token
+      end
+    end
+
+    def fetch_authorization_token_file(path)
+      File.read(path).strip
+    rescue Errno::ENOENT
+      raise TokenFileReadError,
+            'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
+            "but the file doesn't exist: #{path}"
+    end
+
+    def validate_authorization_token!(token)
+      return unless token.include?("\r\n")
+
+      raise InvalidTokenError,
+            'Invalid Authorization token: token contains '\
+            'a newline and carriage return character.'
+    end
+
     def open_connection
       http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
@@ -190,18 +247,27 @@ def open_connection
 
     def http_get(connection, path)
       request = Net::HTTP::Get.new(path)
-      request['Authorization'] = @authorization_token if @authorization_token
+      set_authorization_token(request)
       response = connection.request(request)
       raise Non200Response unless response.code.to_i == 200
 
       response.body
     end
 
+    def set_authorization_token(request)
+      if (authorization_token = fetch_authorization_token)
+        validate_authorization_token!(authorization_token)
+        request['Authorization'] = authorization_token
+      end
+    end
+
     def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
+      rescue TokenFileReadError, InvalidTokenError
+        raise
       rescue *error_classes => _e
         raise unless retries < max_retries
 

gems/aws-sdk-core/spec/aws/ecs_credentials_request.json

@@ -0,0 +1,159 @@
+[
+  {
+    "description": "should reject forbidden host in full URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://192.168.1.1/endpoint"
+    },
+    "expect": {
+      "type": "error",
+      "reason": "'192.168.1.1' is not an allowed host"
+    }
+  },
+  {
+    "description": "should reject forbidden link-local host in full URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://169.254.170.3/endpoint"
+    },
+    "expect": {
+      "type": "error",
+      "reason": "169.254.170.3' is not an allowed host"
+    }
+  },
+  {
+    "description": "should reject invalid token file path",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "/endpoint",
+      "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE": "/full/path/to/token/file"
+    },
+    "token_file": {
+      "type": "error",
+      "errno": "ENOENT"
+    },
+    "expect": {
+      "type": "error",
+      "reason": "failed to read authorization token from '/full/path/to/token/file': no such file or directory"
+    }
+  },
+  {
+    "description": "https URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "https://awscredentials.amazonaws.com/credentials"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "https://awscredentials.amazonaws.com/credentials",
+        "headers": {}
+      }
+    }
+  },
+  {
+    "description": "http loopback(v4) URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://127.0.0.2/credentials"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://127.0.0.2/credentials",
+        "headers": {}
+      }
+    }
+  },
+  {
+    "description": "http loopback(v6) URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://[::1]/credentials"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://[::1]/credentials",
+        "headers": {}
+      }
+    }
+  },
+  {
+    "description": "http link-local ECS URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://169.254.170.2/credentials"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://169.254.170.2/credentials",
+        "headers": {}
+      }
+    }
+  },
+  {
+    "description": "http link-local EKS URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://169.254.170.23/credentials"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://169.254.170.23/credentials",
+        "headers": {}
+      }
+    }
+  },
+  {
+    "description": "complex full URI",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_FULL_URI": "http://127.0.0.1:8080/credentials?foo=bar%20baz"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://127.0.0.1:8080/credentials?foo=bar%20baz",
+        "headers": {}
+      }
+    }
+  },
+  {
+    "description": "auth token from file",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "/credentials-relative",
+      "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE": "/path/to/token"
+    },
+    "token_file": {
+      "type": "success",
+      "content": "Basic static%20token"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://169.254.170.2/credentials-relative",
+        "headers": {
+          "Authorization": "Basic static%20token"
+        }
+      }
+    }
+  },
+  {
+    "description": "auth token from env",
+    "env": {
+      "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "/credentials-relative",
+      "AWS_CONTAINER_AUTHORIZATION_TOKEN": "Basic static%20token2"
+    },
+    "expect": {
+      "type": "success",
+      "request": {
+        "method": "GET",
+        "uri": "http://169.254.170.2/credentials-relative",
+        "headers": {
+          "Authorization": "Basic static%20token2"
+        }
+      }
+    }
+  }
+]