metadata-v2: pull in joshathysolate-master

Taking of this PR to get it across the goal line.
This commit is contained in:
David Cowden 2020-07-22 04:15:34 -07:00
commit 5efe5f3573
3 changed files with 142 additions and 10 deletions

View file

@ -29,6 +29,19 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/
// awsSignatureURL is the url used to retrieve the instance identity signature. // awsSignatureURL is the url used to retrieve the instance identity signature.
const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature" const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature"
// awsAPITokenURL is the url used to get the IMDSv2 API token
const awsAPITokenURL = "http://169.254.169.254/latest/api/token"
// awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
// -- we keep this short-lived since we get a new token with every call to readURL()
const awsAPITokenTTL = "30"
// awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
const awsMetadataTokenHeader = "X-aws-ec2-metadata-token"
// awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
// awsCertificate is the certificate used to validate the instance identity // awsCertificate is the certificate used to validate the instance identity
// signature. // signature.
const awsCertificate = `-----BEGIN CERTIFICATE----- const awsCertificate = `-----BEGIN CERTIFICATE-----
@ -58,6 +71,8 @@ const awsSignatureAlgorithm = x509.SHA256WithRSA
type awsConfig struct { type awsConfig struct {
identityURL string identityURL string
signatureURL string signatureURL string
tokenURL string
tokenTTL string
certificate *x509.Certificate certificate *x509.Certificate
signatureAlgorithm x509.SignatureAlgorithm signatureAlgorithm x509.SignatureAlgorithm
} }
@ -74,6 +89,8 @@ func newAWSConfig() (*awsConfig, error) {
return &awsConfig{ return &awsConfig{
identityURL: awsIdentityURL, identityURL: awsIdentityURL,
signatureURL: awsSignatureURL, signatureURL: awsSignatureURL,
tokenURL: awsAPITokenURL,
tokenTTL: awsAPITokenTTL,
certificate: cert, certificate: cert,
signatureAlgorithm: awsSignatureAlgorithm, signatureAlgorithm: awsSignatureAlgorithm,
}, nil }, nil
@ -130,6 +147,7 @@ type AWS struct {
Accounts []string `json:"accounts"` Accounts []string `json:"accounts"`
DisableCustomSANs bool `json:"disableCustomSANs"` DisableCustomSANs bool `json:"disableCustomSANs"`
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"` DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
IMDSVersions []string `json:"imdsVersions"`
InstanceAge Duration `json:"instanceAge,omitempty"` InstanceAge Duration `json:"instanceAge,omitempty"`
Claims *Claims `json:"claims,omitempty"` Claims *Claims `json:"claims,omitempty"`
claimer *Claimer claimer *Claimer
@ -183,14 +201,14 @@ func (p *AWS) GetIdentityToken(subject, caURL string) (string, error) {
var idoc awsInstanceIdentityDocument var idoc awsInstanceIdentityDocument
doc, err := p.readURL(p.config.identityURL) doc, err := p.readURL(p.config.identityURL)
if err != nil { if err != nil {
return "", errors.Wrap(err, "error retrieving identity document, are you in an AWS VM?") return "", errors.Wrap(err, "error retrieving identity document:\n Are you in an AWS VM?\n Is the metadata service enabled?\n Are you using the proper metadata service version?")
} }
if err := json.Unmarshal(doc, &idoc); err != nil { if err := json.Unmarshal(doc, &idoc); err != nil {
return "", errors.Wrap(err, "error unmarshaling identity document") return "", errors.Wrap(err, "error unmarshaling identity document")
} }
sig, err := p.readURL(p.config.signatureURL) sig, err := p.readURL(p.config.signatureURL)
if err != nil { if err != nil {
return "", errors.Wrap(err, "error retrieving identity document signature, are you in an AWS VM?") return "", errors.Wrap(err, "error retrieving identity document:\n Are you in an AWS VM?\n Is the metadata service enabled?\n Are you using the proper metadata service version?")
} }
signature, err := base64.StdEncoding.DecodeString(string(sig)) signature, err := base64.StdEncoding.DecodeString(string(sig))
if err != nil { if err != nil {
@ -264,6 +282,22 @@ func (p *AWS) Init(config Config) (err error) {
return err return err
} }
p.audiences = config.Audiences.WithFragment(p.GetID()) p.audiences = config.Audiences.WithFragment(p.GetID())
// validate IMDS versions
if len(p.IMDSVersions) == 0 {
p.IMDSVersions = []string{"v2", "v1"}
}
for _, v := range p.IMDSVersions {
switch v {
case "v1":
// valid
case "v2":
// valid
default:
return errors.Errorf("%s: not a supported AWS Instance Metadata Service version", v)
}
}
return nil return nil
} }
@ -334,12 +368,87 @@ func (p *AWS) checkSignature(signed, signature []byte) error {
// using pkg/errors to avoid verbose errors, the caller should use it and write // using pkg/errors to avoid verbose errors, the caller should use it and write
// the appropriate error. // the appropriate error.
func (p *AWS) readURL(url string) ([]byte, error) { func (p *AWS) readURL(url string) ([]byte, error) {
r, err := http.Get(url) var resp *http.Response
var err error
for _, v := range p.IMDSVersions {
switch v {
case "v1":
resp, err = p.readURLv1(url)
if err == nil && resp.StatusCode < 400 {
return p.readResponseBody(resp)
}
case "v2":
resp, err = p.readURLv2(url)
if err == nil && resp.StatusCode < 400 {
return p.readResponseBody(resp)
}
default:
return nil, fmt.Errorf("%s: not a supported AWS Instance Metadata Service version", v)
}
}
// all versions have been exhausted and we haven't returned successfully yet so pass
// the error on to the caller
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer r.Body.Close() return nil, fmt.Errorf("Request for metadata returned non-successful status code %d",
b, err := ioutil.ReadAll(r.Body) resp.StatusCode)
}
func (p *AWS) readURLv1(url string) (*http.Response, error) {
client := http.Client{}
req, err := http.NewRequest(http.MethodGet, url, nil)
if err != nil {
return nil, err
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
return resp, nil
}
func (p *AWS) readURLv2(url string) (*http.Response, error) {
client := http.Client{}
// first get the token
req, err := http.NewRequest(http.MethodPut, p.config.tokenURL, nil)
if err != nil {
return nil, err
}
req.Header.Set(awsMetadataTokenTTLHeader, p.config.tokenTTL)
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
return nil, fmt.Errorf("Request for API token returned non-successful status code %d", resp.StatusCode)
}
token, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
// now make the request
req, err = http.NewRequest(http.MethodGet, url, nil)
if err != nil {
return nil, err
}
req.Header.Set(awsMetadataTokenHeader, string(token))
resp, err = client.Do(req)
if err != nil {
return nil, err
}
return resp, nil
}
func (p *AWS) readResponseBody(resp *http.Response) ([]byte, error) {
defer resp.Body.Close()
b, err := ioutil.ReadAll(resp.Body)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View file

@ -104,36 +104,42 @@ func TestAWS_GetIdentityToken(t *testing.T) {
p2.Accounts = p1.Accounts p2.Accounts = p1.Accounts
p2.config.identityURL = srv.URL + "/bad-document" p2.config.identityURL = srv.URL + "/bad-document"
p2.config.signatureURL = p1.config.signatureURL p2.config.signatureURL = p1.config.signatureURL
p2.config.tokenURL = p1.config.tokenURL
p3, err := generateAWS() p3, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)
p3.Accounts = p1.Accounts p3.Accounts = p1.Accounts
p3.config.signatureURL = srv.URL p3.config.signatureURL = srv.URL
p3.config.identityURL = p1.config.identityURL p3.config.identityURL = p1.config.identityURL
p3.config.tokenURL = p1.config.tokenURL
p4, err := generateAWS() p4, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)
p4.Accounts = p1.Accounts p4.Accounts = p1.Accounts
p4.config.signatureURL = srv.URL + "/bad-signature" p4.config.signatureURL = srv.URL + "/bad-signature"
p4.config.identityURL = p1.config.identityURL p4.config.identityURL = p1.config.identityURL
p4.config.tokenURL = p1.config.tokenURL
p5, err := generateAWS() p5, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)
p5.Accounts = p1.Accounts p5.Accounts = p1.Accounts
p5.config.identityURL = "https://1234.1234.1234.1234" p5.config.identityURL = "https://1234.1234.1234.1234"
p5.config.signatureURL = p1.config.signatureURL p5.config.signatureURL = p1.config.signatureURL
p5.config.tokenURL = p1.config.tokenURL
p6, err := generateAWS() p6, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)
p6.Accounts = p1.Accounts p6.Accounts = p1.Accounts
p6.config.identityURL = p1.config.identityURL p6.config.identityURL = p1.config.identityURL
p6.config.signatureURL = "https://1234.1234.1234.1234" p6.config.signatureURL = "https://1234.1234.1234.1234"
p6.config.tokenURL = p1.config.tokenURL
p7, err := generateAWS() p7, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)
p7.Accounts = p1.Accounts p7.Accounts = p1.Accounts
p7.config.identityURL = srv.URL + "/bad-json" p7.config.identityURL = srv.URL + "/bad-json"
p7.config.signatureURL = p1.config.signatureURL p7.config.signatureURL = p1.config.signatureURL
p7.config.tokenURL = p1.config.tokenURL
caURL := "https://ca.smallstep.com" caURL := "https://ca.smallstep.com"
u, err := url.Parse(caURL) u, err := url.Parse(caURL)

View file

@ -408,14 +408,17 @@ func generateAWS() (*AWS, error) {
return nil, errors.Wrap(err, "error parsing AWS certificate") return nil, errors.Wrap(err, "error parsing AWS certificate")
} }
return &AWS{ return &AWS{
Type: "AWS", Type: "AWS",
Name: name, Name: name,
Accounts: []string{accountID}, Accounts: []string{accountID},
Claims: &globalProvisionerClaims, Claims: &globalProvisionerClaims,
claimer: claimer, IMDSVersions: []string{"v2", "v1"},
claimer: claimer,
config: &awsConfig{ config: &awsConfig{
identityURL: awsIdentityURL, identityURL: awsIdentityURL,
signatureURL: awsSignatureURL, signatureURL: awsSignatureURL,
tokenURL: awsAPITokenURL,
tokenTTL: awsAPITokenTTL,
certificate: cert, certificate: cert,
signatureAlgorithm: awsSignatureAlgorithm, signatureAlgorithm: awsSignatureAlgorithm,
}, },
@ -457,12 +460,25 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
if err != nil { if err != nil {
return nil, nil, errors.Wrap(err, "error signing document") return nil, nil, errors.Wrap(err, "error signing document")
} }
token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path { switch r.URL.Path {
case "/latest/dynamic/instance-identity/document": case "/latest/dynamic/instance-identity/document":
// check for API token
if r.Header.Get("X-aws-ec2-metadata-token") != token {
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("401 Unauthorized"))
}
w.Write(doc) w.Write(doc)
case "/latest/dynamic/instance-identity/signature": case "/latest/dynamic/instance-identity/signature":
// check for API token
if r.Header.Get("X-aws-ec2-metadata-token") != token {
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("401 Unauthorized"))
}
w.Write([]byte(base64.StdEncoding.EncodeToString(signature))) w.Write([]byte(base64.StdEncoding.EncodeToString(signature)))
case "/latest/api/token":
w.Write([]byte(token))
case "/bad-document": case "/bad-document":
w.Write([]byte("{}")) w.Write([]byte("{}"))
case "/bad-signature": case "/bad-signature":
@ -475,6 +491,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
})) }))
aws.config.identityURL = srv.URL + "/latest/dynamic/instance-identity/document" aws.config.identityURL = srv.URL + "/latest/dynamic/instance-identity/document"
aws.config.signatureURL = srv.URL + "/latest/dynamic/instance-identity/signature" aws.config.signatureURL = srv.URL + "/latest/dynamic/instance-identity/signature"
aws.config.tokenURL = srv.URL + "/latest/api/token"
return aws, srv, nil return aws, srv, nil
} }