aws: (chore) remove redundant metadata inheritance (envoyproxy#39290)

Metadata inherited from cached credentials
provider, which is no longer required due to curl deprecation. This
patch removes the unused needsrefresh calls and test cases from metadata
credential providers.

Signed-off-by: Nigel Brittain <[email protected]>

Author: nbaws

source/extensions/common/aws/cached_credentials_provider_base.h

@@ -8,8 +8,6 @@ namespace Extensions {
 namespace Common {
 namespace Aws {
 
-constexpr std::chrono::hours REFRESH_INTERVAL{1};
-
 class CachedCredentialsProviderBase : public CredentialsProvider,
                                       public Logger::Loggable<Logger::Id::aws> {
 public:

source/extensions/common/aws/credential_providers/container_credentials_provider.cc

@@ -22,17 +22,6 @@ ContainerCredentialsProvider::ContainerCredentialsProvider(
                                       initialization_timer),
       credential_uri_(credential_uri), authorization_token_(authorization_token) {}
 
-bool ContainerCredentialsProvider::needsRefresh() {
-  const auto now = api_.timeSource().systemTime();
-  auto expired = (now - last_updated_ > REFRESH_INTERVAL);
-
-  if (expiration_time_.has_value()) {
-    return expired || (expiration_time_.value() - now < REFRESH_GRACE_PERIOD);
-  } else {
-    return expired;
-  }
-}
-
 void ContainerCredentialsProvider::refresh() {
 
   absl::string_view host, path;

source/extensions/common/aws/credential_providers/container_credentials_provider.h

@@ -41,7 +41,6 @@ class ContainerCredentialsProvider : public MetadataCredentialsProviderBase,
   const std::string credential_uri_;
   const std::string authorization_token_;
 
-  bool needsRefresh() override;
   void refresh() override;
   void extractCredentials(const std::string&& credential_document_value);
 };

source/extensions/common/aws/credential_providers/instance_profile_credentials_provider.cc

@@ -20,10 +20,6 @@ InstanceProfileCredentialsProvider::InstanceProfileCredentialsProvider(
                                       create_metadata_fetcher_cb, refresh_state,
                                       initialization_timer) {}
 
-bool InstanceProfileCredentialsProvider::needsRefresh() {
-  return api_.timeSource().systemTime() - last_updated_ > REFRESH_INTERVAL;
-}
-
 void InstanceProfileCredentialsProvider::refresh() {
 
   ENVOY_LOG(debug, "Getting AWS credentials from the EC2MetadataService");

source/extensions/common/aws/credential_providers/instance_profile_credentials_provider.h

@@ -38,7 +38,6 @@ class InstanceProfileCredentialsProvider : public MetadataCredentialsProviderBas
   std::string providerName() override { return "InstanceProfileCredentialsProvider"; };
 
 private:
-  bool needsRefresh() override;
   void refresh() override;
   void fetchInstanceRoleAsync(const std::string&& token);
   void fetchCredentialFromInstanceRoleAsync(const std::string&& instance_role,

source/extensions/common/aws/credential_providers/webidentity_credentials_provider.h

@@ -48,9 +48,6 @@ class WebIdentityCredentialsProvider : public MetadataCredentialsProviderBase,
   const std::string role_arn_;
   const std::string role_session_name_;
 
-  // This is required because of the base class handling non-async case, which can never be used for
-  // web identity provider
-  bool needsRefresh() override { return true; };
   void refresh() override;
   void extractCredentials(const std::string&& credential_document_value);
 };

source/extensions/common/aws/credentials_provider.h

@@ -16,6 +16,7 @@ namespace Aws {
 constexpr char AWS_ACCESS_KEY_ID[] = "AWS_ACCESS_KEY_ID";
 constexpr char AWS_SECRET_ACCESS_KEY[] = "AWS_SECRET_ACCESS_KEY";
 constexpr char AWS_SESSION_TOKEN[] = "AWS_SESSION_TOKEN";
+constexpr std::chrono::hours REFRESH_INTERVAL{1};
 
 /**
  * AWS credentials containers

source/extensions/common/aws/metadata_credentials_provider_base.cc

@@ -53,10 +53,8 @@ void MetadataCredentialsProviderBase::credentialsRetrievalError() {
   handleFetchDone();
 }
 
-// Async provider uses its own refresh mechanism. Calling refreshIfNeeded() here is not thread safe.
 bool MetadataCredentialsProviderBase::credentialsPending() { return credentials_pending_; }
 
-// Async provider uses its own refresh mechanism. Calling refreshIfNeeded() here is not thread safe.
 Credentials MetadataCredentialsProviderBase::getCredentials() {
 
   if (tls_slot_) {

source/extensions/common/aws/metadata_credentials_provider_base.h

@@ -1,7 +1,6 @@
 #pragma once
 
 #include "source/extensions/common/aws/aws_cluster_manager.h"
-#include "source/extensions/common/aws/cached_credentials_provider_base.h"
 #include "source/extensions/common/aws/credentials_provider.h"
 #include "source/extensions/common/aws/metadata_fetcher.h"
 
@@ -32,7 +31,8 @@ struct MetadataCredentialsProviderStats {
 using CreateMetadataFetcherCb =
     std::function<MetadataFetcherPtr(Upstream::ClusterManager&, absl::string_view)>;
 
-class MetadataCredentialsProviderBase : public CachedCredentialsProviderBase,
+class MetadataCredentialsProviderBase : public CredentialsProvider,
+                                        public Logger::Loggable<Logger::Id::aws>,
                                         public AwsManagedClusterUpdateCallbacks {
 public:
   friend class MetadataCredentialsProviderBaseFriend;
@@ -84,6 +84,8 @@ class MetadataCredentialsProviderBase : public CachedCredentialsProviderBase,
   // Set Credentials shared_ptr on all threads.
   void setCredentialsToAllThreads(CredentialsConstUniquePtr&& creds);
 
+  virtual void refresh() PURE;
+
   Api::Api& api_;
   // The optional server factory context.
   Server::Configuration::ServerFactoryContext& context_;

test/extensions/common/aws/credential_providers/webidentity_credentials_provider_test.cc

@@ -616,32 +616,6 @@ TEST_F(WebIdentityCredentialsProviderTest, UnexpectedResponseDuringStartup) {
   EXPECT_FALSE(credentials.sessionToken().has_value());
 }
 
-TEST_F(WebIdentityCredentialsProviderTest, Coverage) {
-
-  // Setup timer.
-  timer_ = new NiceMock<Event::MockTimer>(&context_.dispatcher_);
-  expectDocument(200, std::move(R"EOF(
-{
-  "AssumeRoleWithWebIdentityResponse": {
-    "UnexpectedResponse": ""
-  }
-}
-)EOF"));
-
-  setupProvider(MetadataFetcher::MetadataReceiver::RefreshState::FirstRefresh,
-                std::chrono::seconds(2));
-  timer_->enableTimer(std::chrono::milliseconds(1), nullptr);
-
-  EXPECT_CALL(*timer_, enableTimer(std::chrono::milliseconds(std::chrono::seconds(2)), nullptr));
-
-  // Kick off a refresh
-  auto provider_friend = MetadataCredentialsProviderBaseFriend(provider_);
-  provider_friend.onClusterAddOrUpdate();
-  timer_->invokeCallback();
-
-  EXPECT_TRUE(provider_friend.needsRefresh());
-}
-
 } // namespace Aws
 } // namespace Common
 } // namespace Extensions