feat(mmds): Add metric to count GET requests with invalid tokens

In the previous commit, MMDS v1 was made to support token generation but
a given token to GET request was not validated. Validates the token and
increments a new metric `rx_invalid_token` if it is not valid.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

CHANGELOG.md

@@ -24,6 +24,12 @@ and this project adheres to
   Extended MMDS to support the EC2 IMDS-compatible session token headers (i.e.
   "X-aws-ec2-metadata-token" and "X-aws-ec2-metadata-token-ttl-seconds")
   alongside the MMDS-specific ones.
+- [#5290](https://github.com/firecracker-microvm/firecracker/pull/5290): Added
+  `mmds.rx_invalid_token` metric to track the number of GET requests that were
+  rejected due to token validation failures in MMDS version 2. This metric also
+  counts requests that would be rejected in MMDS version 2 when MMDS version 1
+  is configured. This helps users assess readiness for migrating to MMDS version
+  2.
 
 ### Changed
 

docs/mmds/mmds-user-guide.md

@@ -235,6 +235,8 @@ As in version 2, version 1 also supports a session oriented method in order to
 make the migration easier. See [the next section](#version-2) for the session
 oriented method. Note that version 1 returns a successful response to a `GET`
 request even with an invalid token or no token not to break existing workloads.
+`mmds.rx_invalid_token` metric tracks the number of `GET` requests with invalid
+tokens, helping users evaluate their readiness for migrating to MMDS version 2.
 
 Requests containing any other HTTP methods than `GET` and `PUT` will receive
 **405 Method Not Allowed** error.

src/vmm/src/logger/metrics.rs

@@ -539,6 +539,8 @@ pub struct MmdsMetrics {
     pub rx_accepted_unusual: SharedIncMetric,
     /// The number of buffers which couldn't be parsed as valid Ethernet frames by the MMDS.
     pub rx_bad_eth: SharedIncMetric,
+    /// The number of GET requests with invalid tokens.
+    pub rx_invalid_token: SharedIncMetric,
     /// The total number of successful receive operations by the MMDS.
     pub rx_count: SharedIncMetric,
     /// The total number of bytes sent by the MMDS.
@@ -562,6 +564,7 @@ impl MmdsMetrics {
             rx_accepted_err: SharedIncMetric::new(),
             rx_accepted_unusual: SharedIncMetric::new(),
             rx_bad_eth: SharedIncMetric::new(),
+            rx_invalid_token: SharedIncMetric::new(),
             rx_count: SharedIncMetric::new(),
             tx_bytes: SharedIncMetric::new(),
             tx_count: SharedIncMetric::new(),

src/vmm/src/mmds/mod.rs

@@ -18,6 +18,7 @@ use micro_http::{
 };
 use serde_json::{Map, Value};
 
+use crate::logger::{IncMetric, METRICS};
 use crate::mmds::data_store::{Mmds, MmdsDatastoreError as MmdsError, MmdsVersion, OutputFormat};
 use crate::mmds::token::PATH_TO_TOKEN;
 use crate::mmds::token_headers::{
@@ -143,7 +144,20 @@ pub fn convert_to_response(mmds: Arc<Mutex<Mmds>>, request: Request) -> Response
 }
 
 fn respond_to_get_request_v1(mmds: &Mmds, request: Request) -> Response {
-    // TODO: Increments metrics that will be added in an upcoming commit.
+    match get_header_value_pair(
+        request.headers.custom_entries(),
+        &[X_METADATA_TOKEN_HEADER, X_AWS_EC2_METADATA_TOKEN_HEADER],
+    ) {
+        Some((_, token)) => {
+            if !mmds.is_valid_token(token) {
+                METRICS.mmds.rx_invalid_token.inc();
+            }
+        }
+        None => {
+            // TODO: Increment a metric that will be added in an upcoming commit.
+        }
+    }
+
     respond_to_get_request(mmds, request)
 }
 
@@ -168,12 +182,15 @@ fn respond_to_get_request_v2(mmds: &Mmds, request: Request) -> Response {
     // Validate the token.
     match mmds.is_valid_token(token) {
         true => respond_to_get_request(mmds, request),
-        false => build_response(
-            request.http_version(),
-            StatusCode::Unauthorized,
-            MediaType::PlainText,
-            Body::new(VmmMmdsError::InvalidToken.to_string()),
-        ),
+        false => {
+            METRICS.mmds.rx_invalid_token.inc();
+            build_response(
+                request.http_version(),
+                StatusCode::Unauthorized,
+                MediaType::PlainText,
+                Body::new(VmmMmdsError::InvalidToken.to_string()),
+            )
+        }
     }
 }
 
@@ -536,8 +553,10 @@ mod tests {
               Accept: application/json\r\n\r\n",
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(prev_rx_invalid_token, METRICS.mmds.rx_invalid_token.count());
 
         // Test valid v2 request.
         let request = Request::try_from(
@@ -561,8 +580,10 @@ mod tests {
             .as_bytes(),
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(prev_rx_invalid_token, METRICS.mmds.rx_invalid_token.count());
 
         // Test GET request with invalid token is accepted when v1 is configured.
         let (request, expected_response) = generate_request_and_expected_response(
@@ -571,8 +592,13 @@ mod tests {
               X-metadata-token: INVALID_TOKEN\r\n\r\n",
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds, request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(
+            prev_rx_invalid_token + 1,
+            METRICS.mmds.rx_invalid_token.count()
+        );
     }
 
     #[test]
@@ -707,8 +733,10 @@ mod tests {
             .as_bytes(),
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(prev_rx_invalid_token, METRICS.mmds.rx_invalid_token.count());
 
         // Test invalid customer header value is ignored if not PUT request to /latest/api/token.
         #[rustfmt::skip]
@@ -801,8 +829,13 @@ mod tests {
             let mut expected_response = Response::new(Version::Http10, StatusCode::Unauthorized);
             expected_response.set_content_type(MediaType::PlainText);
             expected_response.set_body(Body::new(VmmMmdsError::InvalidToken.to_string()));
+            let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
             let actual_response = convert_to_response(mmds.clone(), request);
             assert_eq!(actual_response, expected_response);
+            assert_eq!(
+                prev_rx_invalid_token + 1,
+                METRICS.mmds.rx_invalid_token.count()
+            );
 
             // Wait for the second token to expire.
             std::thread::sleep(Duration::from_secs(1));

tests/host_tools/fcmetrics.py

@@ -185,6 +185,7 @@ def validate_fc_metrics(metrics):
             "rx_accepted_err",
             "rx_accepted_unusual",
             "rx_bad_eth",
+            "rx_invalid_token",
             "rx_count",
             "tx_bytes",
             "tx_count",

tests/integration_tests/functional/test_mmds.py

@@ -156,6 +156,8 @@ def test_mmds_token(uvm_plain, version, imds_compat):
                 " header to specify the session token."
             ),
         )
+    metrics = test_microvm.flush_metrics()
+    assert metrics["mmds"]["rx_invalid_token"] == 0
 
     # GET request with invalid token
     cmd = (
@@ -168,11 +170,15 @@ def test_mmds_token(uvm_plain, version, imds_compat):
     elif version == "V2":
         # V2 denies invalid token
         run_guest_cmd(ssh_connection, cmd, "MMDS token not valid.")
+    metrics = test_microvm.flush_metrics()
+    assert metrics["mmds"]["rx_invalid_token"] == 1
 
     # Get request with valid token
     token = generate_mmds_session_token(ssh_connection, DEFAULT_IPV4, 60, imds_compat)
     cmd = generate_mmds_get_request(DEFAULT_IPV4, token, False, imds_compat) + "foo"
     run_guest_cmd(ssh_connection, cmd, "bar")
+    metrics = test_microvm.flush_metrics()
+    assert metrics["mmds"]["rx_invalid_token"] == 0
 
 
 @pytest.mark.parametrize("version", MMDS_VERSIONS)