feat(mmds): Add metric to count GET requests with invalid tokens

zulinx86 · zulinx86 · commit a2865f717921 · 2025-07-07T06:43:02.000Z
In the previous commit, MMDS v1 was made to support token generation but
a given token to GET request was not validated. Validates the token and
increments a new metric `rx_invalid_token` if it is not valid.

Signed-off-by: Takahiro Itazuri &lt;itazur@amazon.com&gt;
diff --git a/src/vmm/src/logger/metrics.rs b/src/vmm/src/logger/metrics.rs
@@ -556,6 +556,8 @@ pub struct MmdsMetrics {
     pub rx_accepted_unusual: SharedIncMetric,
     /// The number of buffers which couldn't be parsed as valid Ethernet frames by the MMDS.
     pub rx_bad_eth: SharedIncMetric,
+    /// The number of GET requests with invalid tokens.
+    pub rx_invalid_token: SharedIncMetric,
     /// The total number of successful receive operations by the MMDS.
     pub rx_count: SharedIncMetric,
     /// The total number of bytes sent by the MMDS.
@@ -579,6 +581,7 @@ impl MmdsMetrics {
             rx_accepted_err: SharedIncMetric::new(),
             rx_accepted_unusual: SharedIncMetric::new(),
             rx_bad_eth: SharedIncMetric::new(),
+            rx_invalid_token: SharedIncMetric::new(),
             rx_count: SharedIncMetric::new(),
             tx_bytes: SharedIncMetric::new(),
             tx_count: SharedIncMetric::new(),
diff --git a/src/vmm/src/mmds/mod.rs b/src/vmm/src/mmds/mod.rs
@@ -19,6 +19,7 @@ use micro_http::{
 use serde_json::{Map, Value};
 use token_headers::{XMetadataToken, XMetadataTokenTtlSeconds};
 
+use crate::logger::{IncMetric, METRICS};
 use crate::mmds::data_store::{Mmds, MmdsDatastoreError as MmdsError, MmdsVersion, OutputFormat};
 use crate::mmds::token::PATH_TO_TOKEN;
 use crate::mmds::token_headers::REJECTED_HEADER;
@@ -141,7 +142,17 @@ pub fn convert_to_response(mmds: Arc<Mutex<Mmds>>, request: Request) -> Response
 }
 
 fn respond_to_get_request_v1(mmds: &Mmds, request: Request) -> Response {
-    // TODO: Increments metrics that will be added in an upcoming commit.
+    match XMetadataToken::from(request.headers.custom_entries()).0 {
+        Some(token) => {
+            if !mmds.is_valid_token(&token) {
+                METRICS.mmds.rx_invalid_token.inc();
+            }
+        }
+        None => {
+            // TODO: Increment a metric that will be added in an upcoming commit.
+        }
+    }
+
     respond_to_get_request(mmds, request)
 }
 
@@ -164,12 +175,15 @@ fn respond_to_get_request_v2(mmds: &Mmds, request: Request) -> Response {
     // Validate the token.
     match mmds.is_valid_token(&token) {
         true => respond_to_get_request(mmds, request),
-        false => build_response(
-            request.http_version(),
-            StatusCode::Unauthorized,
-            MediaType::PlainText,
-            Body::new(VmmMmdsError::InvalidToken.to_string()),
-        ),
+        false => {
+            METRICS.mmds.rx_invalid_token.inc();
+            build_response(
+                request.http_version(),
+                StatusCode::Unauthorized,
+                MediaType::PlainText,
+                Body::new(VmmMmdsError::InvalidToken.to_string()),
+            )
+        }
     }
 }
 
@@ -518,8 +532,10 @@ mod tests {
               Accept: application/json\r\n\r\n",
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(prev_rx_invalid_token, METRICS.mmds.rx_invalid_token.count());
 
         // Test valid v2 request.
         let request = Request::try_from(
@@ -543,8 +559,10 @@ mod tests {
             .as_bytes(),
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(prev_rx_invalid_token, METRICS.mmds.rx_invalid_token.count());
 
         // Test GET request with invalid token is accepted when v1 is configured.
         let (request, expected_response) = generate_request_and_expected_response(
@@ -553,8 +571,13 @@ mod tests {
               X-metadata-token: INVALID_TOKEN\r\n\r\n",
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds, request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(
+            prev_rx_invalid_token + 1,
+            METRICS.mmds.rx_invalid_token.count()
+        );
     }
 
     #[test]
@@ -689,8 +712,10 @@ mod tests {
             .as_bytes(),
             MediaType::ApplicationJson,
         );
+        let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
         let actual_response = convert_to_response(mmds.clone(), request);
         assert_eq!(actual_response, expected_response);
+        assert_eq!(prev_rx_invalid_token, METRICS.mmds.rx_invalid_token.count());
 
         // Test invalid customer header value is ignored if not PUT request to /latest/api/token.
         #[rustfmt::skip]
@@ -784,8 +809,13 @@ mod tests {
             let mut expected_response = Response::new(Version::Http10, StatusCode::Unauthorized);
             expected_response.set_content_type(MediaType::PlainText);
             expected_response.set_body(Body::new(VmmMmdsError::InvalidToken.to_string()));
+            let prev_rx_invalid_token = METRICS.mmds.rx_invalid_token.count();
             let actual_response = convert_to_response(mmds.clone(), request);
             assert_eq!(actual_response, expected_response);
+            assert_eq!(
+                prev_rx_invalid_token + 1,
+                METRICS.mmds.rx_invalid_token.count()
+            );
 
             // Wait for the second token to expire.
             std::thread::sleep(Duration::from_secs(1));
diff --git a/tests/host_tools/fcmetrics.py b/tests/host_tools/fcmetrics.py
@@ -185,6 +185,7 @@ def validate_fc_metrics(metrics):
             "rx_accepted_err",
             "rx_accepted_unusual",
             "rx_bad_eth",
+            "rx_invalid_token",
             "rx_count",
             "tx_bytes",
             "tx_count",
