feat(mmds): Support token generation via PUT in MMDS v1

To enable smoother migration from v1 to v2, make MMDS v1 support PUT
request to /latest/api/token for token generation.

We do NOT make MMDS v1 deny GET requests even with invalid tokens not
to break existing workloads. It does not validate a given toekn at this
point, but it will validate to increment a metric that will be added to
count such requests having invalid tokens.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

CHANGELOG.md

@@ -31,6 +31,11 @@ and this project adheres to
 - [#5290](https://github.com/firecracker-microvm/firecracker/pull/5290): Changed
   MMDS to validate the value of "X-metadata-token-ttl-seconds" header only if it
   is a PUT request to /latest/api/token, as in EC2 IMDS.
+- [#5290](https://github.com/firecracker-microvm/firecracker/pull/5290): Changed
+  MMDS version 1 to support the session oriented method as in version 2,
+  allowing easier migration to version 2. Note that MMDS version 1 accepts a GET
+  request even with no token or an invalid token so that existing workloads
+  continue to work.
 
 ### Deprecated
 

docs/mmds/mmds-user-guide.md

@@ -231,8 +231,13 @@ must be issued. The requested resource can be referenced by its corresponding
 the MMDS request. The HTTP response content will contain the referenced metadata
 resource.
 
-The only HTTP method supported by MMDS version 1 is `GET`. Requests containing
-any other HTTP method will receive **405 Method Not Allowed** error.
+As in version 2, version 1 also supports a session oriented method in order to
+make the migration easier. See [the next section](#version-2) for the session
+oriented method. Note that version 1 returns a successful response to a `GET`
+request even with an invalid token or no token not to break existing workloads.
+
+Requests containing any other HTTP methods than `GET` and `PUT` will receive
+**405 Method Not Allowed** error.
 
 ```bash
 MMDS_IPV4_ADDR=169.254.170.2

src/vmm/src/builder.rs

@@ -987,7 +987,7 @@ pub(crate) mod tests {
         net_builder.build(net_config).unwrap();
         let net = net_builder.iter().next().unwrap();
         let mut mmds = Mmds::default();
-        mmds.set_version(mmds_version).unwrap();
+        mmds.set_version(mmds_version);
         net.lock().unwrap().configure_mmds_network_stack(
             MmdsNetworkStack::default_ipv4_addr(),
             Arc::new(Mutex::new(mmds)),

src/vmm/src/device_manager/persist.rs

@@ -569,7 +569,7 @@ impl<'a> Persist<'a> for MMIODeviceManager {
             // If there's at least one network device having an mmds_ns, it means
             // that we are restoring from a version that did not persist the `MmdsVersionState`.
             // Init with the default.
-            constructor_args.vm_resources.mmds_or_default();
+            constructor_args.vm_resources.mmds_or_default()?;
         }
 
         for net_state in &state.net_devices {

src/vmm/src/mmds/data_store.rs

@@ -12,9 +12,9 @@ use crate::mmds::token::{MmdsTokenError as TokenError, TokenAuthority};
 /// The Mmds is the Microvm Metadata Service represented as an untyped json.
 #[derive(Debug)]
 pub struct Mmds {
+    version: MmdsVersion,
     data_store: Value,
-    // None when MMDS V1 is configured, Some for MMDS V2.
-    token_authority: Option<TokenAuthority>,
+    token_authority: TokenAuthority,
     is_initialized: bool,
     data_store_limit: usize,
 }
@@ -65,19 +65,20 @@ pub enum MmdsDatastoreError {
 // Used for ease of use in tests.
 impl Default for Mmds {
     fn default() -> Self {
-        Self::default_with_limit(51200)
+        Self::try_new(51200).unwrap()
     }
 }
 
 impl Mmds {
     /// MMDS default instance with limit `data_store_limit`
-    pub fn default_with_limit(data_store_limit: usize) -> Self {
-        Mmds {
+    pub fn try_new(data_store_limit: usize) -> Result<Self, MmdsDatastoreError> {
+        Ok(Mmds {
+            version: MmdsVersion::V1,
             data_store: Value::default(),
-            token_authority: None,
+            token_authority: TokenAuthority::try_new()?,
             is_initialized: false,
             data_store_limit,
-        }
+        })
     }
 
     /// This method is needed to check if data store is initialized.
@@ -92,52 +93,29 @@ impl Mmds {
     }
 
     /// Set the MMDS version.
-    pub fn set_version(&mut self, version: MmdsVersion) -> Result<(), MmdsDatastoreError> {
-        match version {
-            MmdsVersion::V1 => {
-                self.token_authority = None;
-                Ok(())
-            }
-            MmdsVersion::V2 => {
-                if self.token_authority.is_none() {
-                    self.token_authority = Some(TokenAuthority::try_new()?);
-                }
-                Ok(())
-            }
-        }
+    pub fn set_version(&mut self, version: MmdsVersion) {
+        self.version = version;
     }
 
-    /// Return the MMDS version by checking the token authority field.
+    /// Get the MMDS version.
     pub fn version(&self) -> MmdsVersion {
-        if self.token_authority.is_none() {
-            MmdsVersion::V1
-        } else {
-            MmdsVersion::V2
-        }
+        self.version
     }
 
     /// Sets the Additional Authenticated Data to be used for encryption and
-    /// decryption of the session token when MMDS version 2 is enabled.
+    /// decryption of the session token.
     pub fn set_aad(&mut self, instance_id: &str) {
-        if let Some(ta) = self.token_authority.as_mut() {
-            ta.set_aad(instance_id);
-        }
+        self.token_authority.set_aad(instance_id);
     }
 
     /// Checks if the provided token has not expired.
-    pub fn is_valid_token(&self, token: &str) -> Result<bool, TokenError> {
-        self.token_authority
-            .as_ref()
-            .ok_or(TokenError::InvalidState)
-            .map(|ta| ta.is_valid(token))
+    pub fn is_valid_token(&self, token: &str) -> bool {
+        self.token_authority.is_valid(token)
     }
 
     /// Generate a new Mmds token using the token authority.
     pub fn generate_token(&mut self, ttl_seconds: u32) -> Result<String, TokenError> {
-        self.token_authority
-            .as_mut()
-            .ok_or(TokenError::InvalidState)
-            .and_then(|ta| ta.generate_token_secret(ttl_seconds))
+        self.token_authority.generate_token_secret(ttl_seconds)
     }
 
     /// set MMDS data store limit to `data_store_limit`
@@ -304,11 +282,11 @@ mod tests {
         assert_eq!(mmds.version(), MmdsVersion::V1);
 
         // Test setting MMDS version to v2.
-        mmds.set_version(MmdsVersion::V2).unwrap();
+        mmds.set_version(MmdsVersion::V2);
         assert_eq!(mmds.version(), MmdsVersion::V2);
 
-        // Test setting MMDS version back to default.
-        mmds.set_version(MmdsVersion::V1).unwrap();
+        // Test setting MMDS version back to v1.
+        mmds.set_version(MmdsVersion::V1);
         assert_eq!(mmds.version(), MmdsVersion::V1);
     }
 
@@ -593,37 +571,4 @@ mod tests {
 
         assert_eq!(mmds.get_data_str().len(), 2);
     }
-
-    #[test]
-    fn test_is_valid() {
-        let mut mmds = Mmds::default();
-        // Set MMDS version to V2.
-        mmds.set_version(MmdsVersion::V2).unwrap();
-        assert_eq!(mmds.version(), MmdsVersion::V2);
-
-        assert!(!mmds.is_valid_token("aaa").unwrap());
-
-        mmds.token_authority = None;
-        assert_eq!(
-            mmds.is_valid_token("aaa").unwrap_err().to_string(),
-            TokenError::InvalidState.to_string()
-        )
-    }
-
-    #[test]
-    fn test_generate_token() {
-        let mut mmds = Mmds::default();
-        // Set MMDS version to V2.
-        mmds.set_version(MmdsVersion::V2).unwrap();
-        assert_eq!(mmds.version(), MmdsVersion::V2);
-
-        let token = mmds.generate_token(1).unwrap();
-        assert!(mmds.is_valid_token(&token).unwrap());
-
-        mmds.token_authority = None;
-        assert_eq!(
-            mmds.generate_token(1).err().unwrap().to_string(),
-            TokenError::InvalidState.to_string()
-        );
-    }
 }