forked from TrueCloudLab/certificates
metadata-v2: pull in joshathysolate-master
Taking of this PR to get it across the goal line.
This commit is contained in:
commit
5efe5f3573
3 changed files with 142 additions and 10 deletions
|
@ -29,6 +29,19 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/
|
||||||
// awsSignatureURL is the url used to retrieve the instance identity signature.
|
// awsSignatureURL is the url used to retrieve the instance identity signature.
|
||||||
const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature"
|
const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature"
|
||||||
|
|
||||||
|
// awsAPITokenURL is the url used to get the IMDSv2 API token
|
||||||
|
const awsAPITokenURL = "http://169.254.169.254/latest/api/token"
|
||||||
|
|
||||||
|
// awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
|
||||||
|
// -- we keep this short-lived since we get a new token with every call to readURL()
|
||||||
|
const awsAPITokenTTL = "30"
|
||||||
|
|
||||||
|
// awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
|
||||||
|
const awsMetadataTokenHeader = "X-aws-ec2-metadata-token"
|
||||||
|
|
||||||
|
// awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
|
||||||
|
const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
|
||||||
|
|
||||||
// awsCertificate is the certificate used to validate the instance identity
|
// awsCertificate is the certificate used to validate the instance identity
|
||||||
// signature.
|
// signature.
|
||||||
const awsCertificate = `-----BEGIN CERTIFICATE-----
|
const awsCertificate = `-----BEGIN CERTIFICATE-----
|
||||||
|
@ -58,6 +71,8 @@ const awsSignatureAlgorithm = x509.SHA256WithRSA
|
||||||
type awsConfig struct {
|
type awsConfig struct {
|
||||||
identityURL string
|
identityURL string
|
||||||
signatureURL string
|
signatureURL string
|
||||||
|
tokenURL string
|
||||||
|
tokenTTL string
|
||||||
certificate *x509.Certificate
|
certificate *x509.Certificate
|
||||||
signatureAlgorithm x509.SignatureAlgorithm
|
signatureAlgorithm x509.SignatureAlgorithm
|
||||||
}
|
}
|
||||||
|
@ -74,6 +89,8 @@ func newAWSConfig() (*awsConfig, error) {
|
||||||
return &awsConfig{
|
return &awsConfig{
|
||||||
identityURL: awsIdentityURL,
|
identityURL: awsIdentityURL,
|
||||||
signatureURL: awsSignatureURL,
|
signatureURL: awsSignatureURL,
|
||||||
|
tokenURL: awsAPITokenURL,
|
||||||
|
tokenTTL: awsAPITokenTTL,
|
||||||
certificate: cert,
|
certificate: cert,
|
||||||
signatureAlgorithm: awsSignatureAlgorithm,
|
signatureAlgorithm: awsSignatureAlgorithm,
|
||||||
}, nil
|
}, nil
|
||||||
|
@ -130,6 +147,7 @@ type AWS struct {
|
||||||
Accounts []string `json:"accounts"`
|
Accounts []string `json:"accounts"`
|
||||||
DisableCustomSANs bool `json:"disableCustomSANs"`
|
DisableCustomSANs bool `json:"disableCustomSANs"`
|
||||||
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
||||||
|
IMDSVersions []string `json:"imdsVersions"`
|
||||||
InstanceAge Duration `json:"instanceAge,omitempty"`
|
InstanceAge Duration `json:"instanceAge,omitempty"`
|
||||||
Claims *Claims `json:"claims,omitempty"`
|
Claims *Claims `json:"claims,omitempty"`
|
||||||
claimer *Claimer
|
claimer *Claimer
|
||||||
|
@ -183,14 +201,14 @@ func (p *AWS) GetIdentityToken(subject, caURL string) (string, error) {
|
||||||
var idoc awsInstanceIdentityDocument
|
var idoc awsInstanceIdentityDocument
|
||||||
doc, err := p.readURL(p.config.identityURL)
|
doc, err := p.readURL(p.config.identityURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", errors.Wrap(err, "error retrieving identity document, are you in an AWS VM?")
|
return "", errors.Wrap(err, "error retrieving identity document:\n Are you in an AWS VM?\n Is the metadata service enabled?\n Are you using the proper metadata service version?")
|
||||||
}
|
}
|
||||||
if err := json.Unmarshal(doc, &idoc); err != nil {
|
if err := json.Unmarshal(doc, &idoc); err != nil {
|
||||||
return "", errors.Wrap(err, "error unmarshaling identity document")
|
return "", errors.Wrap(err, "error unmarshaling identity document")
|
||||||
}
|
}
|
||||||
sig, err := p.readURL(p.config.signatureURL)
|
sig, err := p.readURL(p.config.signatureURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", errors.Wrap(err, "error retrieving identity document signature, are you in an AWS VM?")
|
return "", errors.Wrap(err, "error retrieving identity document:\n Are you in an AWS VM?\n Is the metadata service enabled?\n Are you using the proper metadata service version?")
|
||||||
}
|
}
|
||||||
signature, err := base64.StdEncoding.DecodeString(string(sig))
|
signature, err := base64.StdEncoding.DecodeString(string(sig))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -264,6 +282,22 @@ func (p *AWS) Init(config Config) (err error) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
p.audiences = config.Audiences.WithFragment(p.GetID())
|
p.audiences = config.Audiences.WithFragment(p.GetID())
|
||||||
|
|
||||||
|
// validate IMDS versions
|
||||||
|
if len(p.IMDSVersions) == 0 {
|
||||||
|
p.IMDSVersions = []string{"v2", "v1"}
|
||||||
|
}
|
||||||
|
for _, v := range p.IMDSVersions {
|
||||||
|
switch v {
|
||||||
|
case "v1":
|
||||||
|
// valid
|
||||||
|
case "v2":
|
||||||
|
// valid
|
||||||
|
default:
|
||||||
|
return errors.Errorf("%s: not a supported AWS Instance Metadata Service version", v)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -334,12 +368,87 @@ func (p *AWS) checkSignature(signed, signature []byte) error {
|
||||||
// using pkg/errors to avoid verbose errors, the caller should use it and write
|
// using pkg/errors to avoid verbose errors, the caller should use it and write
|
||||||
// the appropriate error.
|
// the appropriate error.
|
||||||
func (p *AWS) readURL(url string) ([]byte, error) {
|
func (p *AWS) readURL(url string) ([]byte, error) {
|
||||||
r, err := http.Get(url)
|
var resp *http.Response
|
||||||
|
var err error
|
||||||
|
|
||||||
|
for _, v := range p.IMDSVersions {
|
||||||
|
switch v {
|
||||||
|
case "v1":
|
||||||
|
resp, err = p.readURLv1(url)
|
||||||
|
if err == nil && resp.StatusCode < 400 {
|
||||||
|
return p.readResponseBody(resp)
|
||||||
|
}
|
||||||
|
case "v2":
|
||||||
|
resp, err = p.readURLv2(url)
|
||||||
|
if err == nil && resp.StatusCode < 400 {
|
||||||
|
return p.readResponseBody(resp)
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("%s: not a supported AWS Instance Metadata Service version", v)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// all versions have been exhausted and we haven't returned successfully yet so pass
|
||||||
|
// the error on to the caller
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
defer r.Body.Close()
|
return nil, fmt.Errorf("Request for metadata returned non-successful status code %d",
|
||||||
b, err := ioutil.ReadAll(r.Body)
|
resp.StatusCode)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *AWS) readURLv1(url string) (*http.Response, error) {
|
||||||
|
client := http.Client{}
|
||||||
|
|
||||||
|
req, err := http.NewRequest(http.MethodGet, url, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return resp, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *AWS) readURLv2(url string) (*http.Response, error) {
|
||||||
|
client := http.Client{}
|
||||||
|
|
||||||
|
// first get the token
|
||||||
|
req, err := http.NewRequest(http.MethodPut, p.config.tokenURL, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
req.Header.Set(awsMetadataTokenTTLHeader, p.config.tokenTTL)
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
if resp.StatusCode >= 400 {
|
||||||
|
return nil, fmt.Errorf("Request for API token returned non-successful status code %d", resp.StatusCode)
|
||||||
|
}
|
||||||
|
token, err := ioutil.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// now make the request
|
||||||
|
req, err = http.NewRequest(http.MethodGet, url, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
req.Header.Set(awsMetadataTokenHeader, string(token))
|
||||||
|
resp, err = client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return resp, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *AWS) readResponseBody(resp *http.Response) ([]byte, error) {
|
||||||
|
defer resp.Body.Close()
|
||||||
|
b, err := ioutil.ReadAll(resp.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -104,36 +104,42 @@ func TestAWS_GetIdentityToken(t *testing.T) {
|
||||||
p2.Accounts = p1.Accounts
|
p2.Accounts = p1.Accounts
|
||||||
p2.config.identityURL = srv.URL + "/bad-document"
|
p2.config.identityURL = srv.URL + "/bad-document"
|
||||||
p2.config.signatureURL = p1.config.signatureURL
|
p2.config.signatureURL = p1.config.signatureURL
|
||||||
|
p2.config.tokenURL = p1.config.tokenURL
|
||||||
|
|
||||||
p3, err := generateAWS()
|
p3, err := generateAWS()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
p3.Accounts = p1.Accounts
|
p3.Accounts = p1.Accounts
|
||||||
p3.config.signatureURL = srv.URL
|
p3.config.signatureURL = srv.URL
|
||||||
p3.config.identityURL = p1.config.identityURL
|
p3.config.identityURL = p1.config.identityURL
|
||||||
|
p3.config.tokenURL = p1.config.tokenURL
|
||||||
|
|
||||||
p4, err := generateAWS()
|
p4, err := generateAWS()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
p4.Accounts = p1.Accounts
|
p4.Accounts = p1.Accounts
|
||||||
p4.config.signatureURL = srv.URL + "/bad-signature"
|
p4.config.signatureURL = srv.URL + "/bad-signature"
|
||||||
p4.config.identityURL = p1.config.identityURL
|
p4.config.identityURL = p1.config.identityURL
|
||||||
|
p4.config.tokenURL = p1.config.tokenURL
|
||||||
|
|
||||||
p5, err := generateAWS()
|
p5, err := generateAWS()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
p5.Accounts = p1.Accounts
|
p5.Accounts = p1.Accounts
|
||||||
p5.config.identityURL = "https://1234.1234.1234.1234"
|
p5.config.identityURL = "https://1234.1234.1234.1234"
|
||||||
p5.config.signatureURL = p1.config.signatureURL
|
p5.config.signatureURL = p1.config.signatureURL
|
||||||
|
p5.config.tokenURL = p1.config.tokenURL
|
||||||
|
|
||||||
p6, err := generateAWS()
|
p6, err := generateAWS()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
p6.Accounts = p1.Accounts
|
p6.Accounts = p1.Accounts
|
||||||
p6.config.identityURL = p1.config.identityURL
|
p6.config.identityURL = p1.config.identityURL
|
||||||
p6.config.signatureURL = "https://1234.1234.1234.1234"
|
p6.config.signatureURL = "https://1234.1234.1234.1234"
|
||||||
|
p6.config.tokenURL = p1.config.tokenURL
|
||||||
|
|
||||||
p7, err := generateAWS()
|
p7, err := generateAWS()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
p7.Accounts = p1.Accounts
|
p7.Accounts = p1.Accounts
|
||||||
p7.config.identityURL = srv.URL + "/bad-json"
|
p7.config.identityURL = srv.URL + "/bad-json"
|
||||||
p7.config.signatureURL = p1.config.signatureURL
|
p7.config.signatureURL = p1.config.signatureURL
|
||||||
|
p7.config.tokenURL = p1.config.tokenURL
|
||||||
|
|
||||||
caURL := "https://ca.smallstep.com"
|
caURL := "https://ca.smallstep.com"
|
||||||
u, err := url.Parse(caURL)
|
u, err := url.Parse(caURL)
|
||||||
|
|
|
@ -408,14 +408,17 @@ func generateAWS() (*AWS, error) {
|
||||||
return nil, errors.Wrap(err, "error parsing AWS certificate")
|
return nil, errors.Wrap(err, "error parsing AWS certificate")
|
||||||
}
|
}
|
||||||
return &AWS{
|
return &AWS{
|
||||||
Type: "AWS",
|
Type: "AWS",
|
||||||
Name: name,
|
Name: name,
|
||||||
Accounts: []string{accountID},
|
Accounts: []string{accountID},
|
||||||
Claims: &globalProvisionerClaims,
|
Claims: &globalProvisionerClaims,
|
||||||
claimer: claimer,
|
IMDSVersions: []string{"v2", "v1"},
|
||||||
|
claimer: claimer,
|
||||||
config: &awsConfig{
|
config: &awsConfig{
|
||||||
identityURL: awsIdentityURL,
|
identityURL: awsIdentityURL,
|
||||||
signatureURL: awsSignatureURL,
|
signatureURL: awsSignatureURL,
|
||||||
|
tokenURL: awsAPITokenURL,
|
||||||
|
tokenTTL: awsAPITokenTTL,
|
||||||
certificate: cert,
|
certificate: cert,
|
||||||
signatureAlgorithm: awsSignatureAlgorithm,
|
signatureAlgorithm: awsSignatureAlgorithm,
|
||||||
},
|
},
|
||||||
|
@ -457,12 +460,25 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, errors.Wrap(err, "error signing document")
|
return nil, nil, errors.Wrap(err, "error signing document")
|
||||||
}
|
}
|
||||||
|
token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
|
||||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
switch r.URL.Path {
|
switch r.URL.Path {
|
||||||
case "/latest/dynamic/instance-identity/document":
|
case "/latest/dynamic/instance-identity/document":
|
||||||
|
// check for API token
|
||||||
|
if r.Header.Get("X-aws-ec2-metadata-token") != token {
|
||||||
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
|
w.Write([]byte("401 Unauthorized"))
|
||||||
|
}
|
||||||
w.Write(doc)
|
w.Write(doc)
|
||||||
case "/latest/dynamic/instance-identity/signature":
|
case "/latest/dynamic/instance-identity/signature":
|
||||||
|
// check for API token
|
||||||
|
if r.Header.Get("X-aws-ec2-metadata-token") != token {
|
||||||
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
|
w.Write([]byte("401 Unauthorized"))
|
||||||
|
}
|
||||||
w.Write([]byte(base64.StdEncoding.EncodeToString(signature)))
|
w.Write([]byte(base64.StdEncoding.EncodeToString(signature)))
|
||||||
|
case "/latest/api/token":
|
||||||
|
w.Write([]byte(token))
|
||||||
case "/bad-document":
|
case "/bad-document":
|
||||||
w.Write([]byte("{}"))
|
w.Write([]byte("{}"))
|
||||||
case "/bad-signature":
|
case "/bad-signature":
|
||||||
|
@ -475,6 +491,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
|
||||||
}))
|
}))
|
||||||
aws.config.identityURL = srv.URL + "/latest/dynamic/instance-identity/document"
|
aws.config.identityURL = srv.URL + "/latest/dynamic/instance-identity/document"
|
||||||
aws.config.signatureURL = srv.URL + "/latest/dynamic/instance-identity/signature"
|
aws.config.signatureURL = srv.URL + "/latest/dynamic/instance-identity/signature"
|
||||||
|
aws.config.tokenURL = srv.URL + "/latest/api/token"
|
||||||
return aws, srv, nil
|
return aws, srv, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue