fix(mmds): Validate X-metadata-token-ttl-seconds header only if needed

We checked that "X-metadata-token-ttl-seconds" has a valid positive
number regardless of the request type. On the oher hand, EC2 IMDS only
validates it only if it is a PUT request to "/latest/api/token". Such
a behavioral difference from EC2 IMDS could result in unexpected issues.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

CHANGELOG.md

@@ -28,6 +28,9 @@ and this project adheres to
   Incremental snapshots remain in developer preview.
 - [#5282](https://github.com/firecracker-microvm/firecracker/pull/5282): Updated
   jailer to no longer require the executable file name to contain `firecracker`.
+- [#5290](https://github.com/firecracker-microvm/firecracker/pull/5290): Changed
+  MMDS to validate the value of "X-metadata-token-ttl-seconds" header only if it
+  is a PUT request to /latest/api/token, as in EC2 IMDS.
 
 ### Deprecated
 

src/vmm/src/mmds/mod.rs

@@ -17,11 +17,13 @@ use micro_http::{
     Body, HttpHeaderError, MediaType, Method, Request, RequestError, Response, StatusCode, Version,
 };
 use serde_json::{Map, Value};
-use token_headers::TokenHeaders;
 
 use crate::mmds::data_store::{Mmds, MmdsDatastoreError as MmdsError, MmdsVersion, OutputFormat};
 use crate::mmds::token::PATH_TO_TOKEN;
-use crate::mmds::token_headers::REJECTED_HEADER;
+use crate::mmds::token_headers::{
+    REJECTED_HEADER, X_METADATA_TOKEN_HEADER, X_METADATA_TOKEN_TTL_SECONDS_HEADER,
+    get_header_value_pair,
+};
 
 #[rustfmt::skip]
 #[derive(Debug, thiserror::Error, displaydoc::Display)]
@@ -142,23 +144,10 @@ fn respond_to_request_mmdsv1(mmds: &Mmds, request: Request) -> Response {
 }
 
 fn respond_to_request_mmdsv2(mmds: &mut Mmds, request: Request) -> Response {
-    // Fetch custom headers from request.
-    let token_headers = match TokenHeaders::try_from(request.headers.custom_entries()) {
-        Ok(token_headers) => token_headers,
-        Err(err) => {
-            return build_response(
-                request.http_version(),
-                StatusCode::BadRequest,
-                MediaType::PlainText,
-                Body::new(err.to_string()),
-            );
-        }
-    };
-
     // Allow only GET and PUT requests.
     match request.method() {
-        Method::Get => respond_to_get_request_checked(mmds, request, token_headers),
-        Method::Put => respond_to_put_request(mmds, request, token_headers),
+        Method::Get => respond_to_get_request_checked(mmds, request),
+        Method::Put => respond_to_put_request(mmds, request),
         _ => {
             let mut response = build_response(
                 request.http_version(),
@@ -173,26 +162,23 @@ fn respond_to_request_mmdsv2(mmds: &mut Mmds, request: Request) -> Response {
     }
 }
 
-fn respond_to_get_request_checked(
-    mmds: &Mmds,
-    request: Request,
-    token_headers: TokenHeaders,
-) -> Response {
-    // Get MMDS token from custom headers.
-    let token = match token_headers.x_metadata_token() {
-        Some(token) => token,
-        None => {
-            let error_msg = VmmMmdsError::NoTokenProvided.to_string();
-            return build_response(
-                request.http_version(),
-                StatusCode::Unauthorized,
-                MediaType::PlainText,
-                Body::new(error_msg),
-            );
-        }
-    };
+fn respond_to_get_request_checked(mmds: &Mmds, request: Request) -> Response {
+    // Check whether a token exists.
+    let token =
+        match get_header_value_pair(request.headers.custom_entries(), X_METADATA_TOKEN_HEADER) {
+            Some((_, token)) => token,
+            None => {
+                let error_msg = VmmMmdsError::NoTokenProvided.to_string();
+                return build_response(
+                    request.http_version(),
+                    StatusCode::Unauthorized,
+                    MediaType::PlainText,
+                    Body::new(error_msg),
+                );
+            }
+        };
 
-    // Validate MMDS token.
+    // Validate the token.
     match mmds.is_valid_token(token) {
         Ok(true) => respond_to_get_request_unchecked(mmds, request),
         Ok(false) => build_response(
@@ -248,17 +234,11 @@ fn respond_to_get_request_unchecked(mmds: &Mmds, request: Request) -> Response {
     }
 }
 
-fn respond_to_put_request(
-    mmds: &mut Mmds,
-    request: Request,
-    token_headers: TokenHeaders,
-) -> Response {
+fn respond_to_put_request(mmds: &mut Mmds, request: Request) -> Response {
+    let custom_headers = request.headers.custom_entries();
+
     // Reject `PUT` requests that contain `X-Forwarded-For` header.
-    if request
-        .headers
-        .custom_entries()
-        .contains_key(REJECTED_HEADER)
-    {
+    if custom_headers.contains_key(REJECTED_HEADER) {
         let error_msg = RequestError::HeaderError(HttpHeaderError::UnsupportedName(
             REJECTED_HEADER.to_string(),
         ))
@@ -287,17 +267,36 @@ fn respond_to_put_request(
     }
 
     // Get token lifetime value.
-    let ttl_seconds = match token_headers.x_metadata_token_ttl_seconds() {
-        Some(ttl_seconds) => ttl_seconds,
-        None => {
-            return build_response(
-                request.http_version(),
-                StatusCode::BadRequest,
-                MediaType::PlainText,
-                Body::new(VmmMmdsError::NoTtlProvided.to_string()),
-            );
-        }
-    };
+    let ttl_seconds =
+        match get_header_value_pair(custom_headers, X_METADATA_TOKEN_TTL_SECONDS_HEADER) {
+            // Header found
+            Some((k, v)) => match v.parse::<u32>() {
+                Ok(ttl_seconds) => ttl_seconds,
+                Err(_) => {
+                    return build_response(
+                        request.http_version(),
+                        StatusCode::BadRequest,
+                        MediaType::PlainText,
+                        Body::new(
+                            RequestError::HeaderError(HttpHeaderError::InvalidValue(
+                                k.into(),
+                                v.into(),
+                            ))
+                            .to_string(),
+                        ),
+                    );
+                }
+            },
+            // Header not found
+            None => {
+                return build_response(
+                    request.http_version(),
+                    StatusCode::BadRequest,
+                    MediaType::PlainText,
+                    Body::new(VmmMmdsError::NoTtlProvided.to_string()),
+                );
+            }
+        };
 
     // Generate token.
     let result = mmds.generate_token(ttl_seconds);
@@ -530,7 +529,7 @@ mod tests {
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
 
-        // Test invalid custom header value is ignored when V1 is configured.
+        // Test invalid custom header value is ignored if not PUT request to /latest/api/token.
         let (request, expected_response) = generate_request_and_expected_response(
             b"GET http://169.254.169.254/ HTTP/1.0\r\n\
               Accept: application/json\r\n\
@@ -576,23 +575,6 @@ mod tests {
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
 
-        // Test invalid value for custom header.
-        let request = Request::try_from(
-            b"GET http://169.254.169.254/ HTTP/1.0\r\n\
-              Accept: application/json\r\n\
-              X-metadata-token-ttl-seconds: -60\r\n\r\n",
-            None,
-        )
-        .unwrap();
-        let mut expected_response = Response::new(Version::Http10, StatusCode::BadRequest);
-        expected_response.set_content_type(MediaType::PlainText);
-        expected_response.set_body(Body::new(
-            "Invalid header. Reason: Invalid value. Key:X-metadata-token-ttl-seconds; Value:-60"
-                .to_string(),
-        ));
-        let actual_response = convert_to_response(mmds.clone(), request);
-        assert_eq!(actual_response, expected_response);
-
         // Test PUT requests.
         // Unsupported `X-Forwarded-For` header present.
         let request = Request::try_from(
@@ -624,6 +606,22 @@ mod tests {
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
 
+        // Test invalid X-metadata-token-ttl-seconds value gets BadRequest.
+        let request = Request::try_from(
+            b"PUT http://169.254.169.254/latest/api/token HTTP/1.0\r\n\
+              X-metadata-token-ttl-seconds: -60\r\n\r\n",
+            None,
+        )
+        .unwrap();
+        let mut expected_response = Response::new(Version::Http10, StatusCode::BadRequest);
+        expected_response.set_content_type(MediaType::PlainText);
+        expected_response.set_body(Body::new(
+            "Invalid header. Reason: Invalid value. Key:X-metadata-token-ttl-seconds; Value:-60"
+                .to_string(),
+        ));
+        let actual_response = convert_to_response(mmds.clone(), request);
+        assert_eq!(actual_response, expected_response);
+
         // Test invalid lifetime values for token.
         let invalid_values = [MIN_TOKEN_TTL_SECONDS - 1, MAX_TOKEN_TTL_SECONDS + 1];
         for invalid_value in invalid_values.iter() {
@@ -687,6 +685,21 @@ mod tests {
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
 
+        // Test invalid customer header value is ignored if not PUT request to /latest/api/token.
+        #[rustfmt::skip]
+        let (request, expected_response) = generate_request_and_expected_response(
+            format!(
+                "GET http://169.254.169.254/ HTTP/1.0\r\n\
+                 Accept: application/json\r\n\
+                 X-metadata-token: {valid_token}\r\n\
+                 X-metadata-token-ttl-seconds: -60\r\n\r\n",
+            )
+            .as_bytes(),
+            MediaType::ApplicationJson,
+        );
+        let actual_response = convert_to_response(mmds.clone(), request);
+        assert_eq!(actual_response, expected_response);
+
         // Test GET request towards unsupported value type.
         #[rustfmt::skip]
         let request = Request::try_from(