1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
package imds
import (
"context"
"errors"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/smithy-go"
"github.com/aws/smithy-go/logging"
"net/http"
"sync"
"sync/atomic"
"time"
"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"
)
const (
// Headers for Token and TTL
tokenHeader = "x-aws-ec2-metadata-token"
defaultTokenTTL = 5 * time.Minute
)
type tokenProvider struct {
client *Client
tokenTTL time.Duration
token *apiToken
tokenMux sync.RWMutex
disabled uint32 // Atomic updated
}
func newTokenProvider(client *Client, ttl time.Duration) *tokenProvider {
return &tokenProvider{
client: client,
tokenTTL: ttl,
}
}
// apiToken provides the API token used by all operation calls for th EC2
// Instance metadata service.
type apiToken struct {
token string
expires time.Time
}
var timeNow = time.Now
// Expired returns if the token is expired.
func (t *apiToken) Expired() bool {
// Calling Round(0) on the current time will truncate the monotonic reading only. Ensures credential expiry
// time is always based on reported wall-clock time.
return timeNow().Round(0).After(t.expires)
}
func (t *tokenProvider) ID() string { return "APITokenProvider" }
// HandleFinalize is the finalize stack middleware, that if the token provider is
// enabled, will attempt to add the cached API token to the request. If the API
// token is not cached, it will be retrieved in a separate API call, getToken.
//
// For retry attempts, handler must be added after attempt retryer.
//
// If request for getToken fails the token provider may be disabled from future
// requests, depending on the response status code.
func (t *tokenProvider) HandleFinalize(
ctx context.Context, input middleware.FinalizeInput, next middleware.FinalizeHandler,
) (
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
if t.fallbackEnabled() && !t.enabled() {
// short-circuits to insecure data flow if token provider is disabled.
return next.HandleFinalize(ctx, input)
}
req, ok := input.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, fmt.Errorf("unexpected transport request type %T", input.Request)
}
tok, err := t.getToken(ctx)
if err != nil {
// If the error allows the token to downgrade to insecure flow allow that.
var bypassErr *bypassTokenRetrievalError
if errors.As(err, &bypassErr) {
return next.HandleFinalize(ctx, input)
}
return out, metadata, fmt.Errorf("failed to get API token, %w", err)
}
req.Header.Set(tokenHeader, tok.token)
return next.HandleFinalize(ctx, input)
}
// HandleDeserialize is the deserialize stack middleware for determining if the
// operation the token provider is decorating failed because of a 401
// unauthorized status code. If the operation failed for that reason the token
// provider needs to be re-enabled so that it can start adding the API token to
// operation calls.
func (t *tokenProvider) HandleDeserialize(
ctx context.Context, input middleware.DeserializeInput, next middleware.DeserializeHandler,
) (
out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
) {
out, metadata, err = next.HandleDeserialize(ctx, input)
if err == nil {
return out, metadata, err
}
resp, ok := out.RawResponse.(*smithyhttp.Response)
if !ok {
return out, metadata, fmt.Errorf("expect HTTP transport, got %T", out.RawResponse)
}
if resp.StatusCode == http.StatusUnauthorized { // unauthorized
t.enable()
err = &retryableError{Err: err, isRetryable: true}
}
return out, metadata, err
}
func (t *tokenProvider) getToken(ctx context.Context) (tok *apiToken, err error) {
if t.fallbackEnabled() && !t.enabled() {
return nil, &bypassTokenRetrievalError{
Err: fmt.Errorf("cannot get API token, provider disabled"),
}
}
t.tokenMux.RLock()
tok = t.token
t.tokenMux.RUnlock()
if tok != nil && !tok.Expired() {
return tok, nil
}
tok, err = t.updateToken(ctx)
if err != nil {
return nil, err
}
return tok, nil
}
func (t *tokenProvider) updateToken(ctx context.Context) (*apiToken, error) {
t.tokenMux.Lock()
defer t.tokenMux.Unlock()
// Prevent multiple requests to update retrieving the token.
if t.token != nil && !t.token.Expired() {
tok := t.token
return tok, nil
}
result, err := t.client.getToken(ctx, &getTokenInput{
TokenTTL: t.tokenTTL,
})
if err != nil {
var statusErr interface{ HTTPStatusCode() int }
if errors.As(err, &statusErr) {
switch statusErr.HTTPStatusCode() {
// Disable future get token if failed because of 403, 404, or 405
case http.StatusForbidden,
http.StatusNotFound,
http.StatusMethodNotAllowed:
if t.fallbackEnabled() {
logger := middleware.GetLogger(ctx)
logger.Logf(logging.Warn, "falling back to IMDSv1: %v", err)
t.disable()
}
// 400 errors are terminal, and need to be upstreamed
case http.StatusBadRequest:
return nil, err
}
}
// Disable if request send failed or timed out getting response
var re *smithyhttp.RequestSendError
var ce *smithy.CanceledError
if errors.As(err, &re) || errors.As(err, &ce) {
atomic.StoreUint32(&t.disabled, 1)
}
if !t.fallbackEnabled() {
// NOTE: getToken() is an implementation detail of some outer operation
// (e.g. GetMetadata). It has its own retries that have already been exhausted.
// Mark the underlying error as a terminal error.
err = &retryableError{Err: err, isRetryable: false}
return nil, err
}
// Token couldn't be retrieved, fallback to IMDSv1 insecure flow for this request
// and allow the request to proceed. Future requests _may_ re-attempt fetching a
// token if not disabled.
return nil, &bypassTokenRetrievalError{Err: err}
}
tok := &apiToken{
token: result.Token,
expires: timeNow().Add(result.TokenTTL),
}
t.token = tok
return tok, nil
}
// enabled returns if the token provider is current enabled or not.
func (t *tokenProvider) enabled() bool {
return atomic.LoadUint32(&t.disabled) == 0
}
// fallbackEnabled returns false if EnableFallback is [aws.FalseTernary], true otherwise
func (t *tokenProvider) fallbackEnabled() bool {
switch t.client.options.EnableFallback {
case aws.FalseTernary:
return false
default:
return true
}
}
// disable disables the token provider and it will no longer attempt to inject
// the token, nor request updates.
func (t *tokenProvider) disable() {
atomic.StoreUint32(&t.disabled, 1)
}
// enable enables the token provide to start refreshing tokens, and adding them
// to the pending request.
func (t *tokenProvider) enable() {
t.tokenMux.Lock()
t.token = nil
t.tokenMux.Unlock()
atomic.StoreUint32(&t.disabled, 0)
}
type bypassTokenRetrievalError struct {
Err error
}
func (e *bypassTokenRetrievalError) Error() string {
return fmt.Sprintf("bypass token retrieval, %v", e.Err)
}
func (e *bypassTokenRetrievalError) Unwrap() error { return e.Err }
type retryableError struct {
Err error
isRetryable bool
}
func (e *retryableError) RetryableError() bool { return e.isRetryable }
func (e *retryableError) Error() string { return e.Err.Error() }
|
