forked from TrueCloudLab/certificates
metadata-v2: pull in joshathysolate-master
Taking of this PR to get it across the goal line.
This commit is contained in:
commit
5efe5f3573
3 changed files with 142 additions and 10 deletions
|
@ -29,6 +29,19 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/
|
|||
// awsSignatureURL is the url used to retrieve the instance identity signature.
|
||||
const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature"
|
||||
|
||||
// awsAPITokenURL is the url used to get the IMDSv2 API token
|
||||
const awsAPITokenURL = "http://169.254.169.254/latest/api/token"
|
||||
|
||||
// awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
|
||||
// -- we keep this short-lived since we get a new token with every call to readURL()
|
||||
const awsAPITokenTTL = "30"
|
||||
|
||||
// awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
|
||||
const awsMetadataTokenHeader = "X-aws-ec2-metadata-token"
|
||||
|
||||
// awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
|
||||
const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
|
||||
|
||||
// awsCertificate is the certificate used to validate the instance identity
|
||||
// signature.
|
||||
const awsCertificate = `-----BEGIN CERTIFICATE-----
|
||||
|
@ -58,6 +71,8 @@ const awsSignatureAlgorithm = x509.SHA256WithRSA
|
|||
type awsConfig struct {
|
||||
identityURL string
|
||||
signatureURL string
|
||||
tokenURL string
|
||||
tokenTTL string
|
||||
certificate *x509.Certificate
|
||||
signatureAlgorithm x509.SignatureAlgorithm
|
||||
}
|
||||
|
@ -74,6 +89,8 @@ func newAWSConfig() (*awsConfig, error) {
|
|||
return &awsConfig{
|
||||
identityURL: awsIdentityURL,
|
||||
signatureURL: awsSignatureURL,
|
||||
tokenURL: awsAPITokenURL,
|
||||
tokenTTL: awsAPITokenTTL,
|
||||
certificate: cert,
|
||||
signatureAlgorithm: awsSignatureAlgorithm,
|
||||
}, nil
|
||||
|
@ -130,6 +147,7 @@ type AWS struct {
|
|||
Accounts []string `json:"accounts"`
|
||||
DisableCustomSANs bool `json:"disableCustomSANs"`
|
||||
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
||||
IMDSVersions []string `json:"imdsVersions"`
|
||||
InstanceAge Duration `json:"instanceAge,omitempty"`
|
||||
Claims *Claims `json:"claims,omitempty"`
|
||||
claimer *Claimer
|
||||
|
@ -183,14 +201,14 @@ func (p *AWS) GetIdentityToken(subject, caURL string) (string, error) {
|
|||
var idoc awsInstanceIdentityDocument
|
||||
doc, err := p.readURL(p.config.identityURL)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error retrieving identity document, are you in an AWS VM?")
|
||||
return "", errors.Wrap(err, "error retrieving identity document:\n Are you in an AWS VM?\n Is the metadata service enabled?\n Are you using the proper metadata service version?")
|
||||
}
|
||||
if err := json.Unmarshal(doc, &idoc); err != nil {
|
||||
return "", errors.Wrap(err, "error unmarshaling identity document")
|
||||
}
|
||||
sig, err := p.readURL(p.config.signatureURL)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "error retrieving identity document signature, are you in an AWS VM?")
|
||||
return "", errors.Wrap(err, "error retrieving identity document:\n Are you in an AWS VM?\n Is the metadata service enabled?\n Are you using the proper metadata service version?")
|
||||
}
|
||||
signature, err := base64.StdEncoding.DecodeString(string(sig))
|
||||
if err != nil {
|
||||
|
@ -264,6 +282,22 @@ func (p *AWS) Init(config Config) (err error) {
|
|||
return err
|
||||
}
|
||||
p.audiences = config.Audiences.WithFragment(p.GetID())
|
||||
|
||||
// validate IMDS versions
|
||||
if len(p.IMDSVersions) == 0 {
|
||||
p.IMDSVersions = []string{"v2", "v1"}
|
||||
}
|
||||
for _, v := range p.IMDSVersions {
|
||||
switch v {
|
||||
case "v1":
|
||||
// valid
|
||||
case "v2":
|
||||
// valid
|
||||
default:
|
||||
return errors.Errorf("%s: not a supported AWS Instance Metadata Service version", v)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -334,12 +368,87 @@ func (p *AWS) checkSignature(signed, signature []byte) error {
|
|||
// using pkg/errors to avoid verbose errors, the caller should use it and write
|
||||
// the appropriate error.
|
||||
func (p *AWS) readURL(url string) ([]byte, error) {
|
||||
r, err := http.Get(url)
|
||||
var resp *http.Response
|
||||
var err error
|
||||
|
||||
for _, v := range p.IMDSVersions {
|
||||
switch v {
|
||||
case "v1":
|
||||
resp, err = p.readURLv1(url)
|
||||
if err == nil && resp.StatusCode < 400 {
|
||||
return p.readResponseBody(resp)
|
||||
}
|
||||
case "v2":
|
||||
resp, err = p.readURLv2(url)
|
||||
if err == nil && resp.StatusCode < 400 {
|
||||
return p.readResponseBody(resp)
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("%s: not a supported AWS Instance Metadata Service version", v)
|
||||
}
|
||||
}
|
||||
|
||||
// all versions have been exhausted and we haven't returned successfully yet so pass
|
||||
// the error on to the caller
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer r.Body.Close()
|
||||
b, err := ioutil.ReadAll(r.Body)
|
||||
return nil, fmt.Errorf("Request for metadata returned non-successful status code %d",
|
||||
resp.StatusCode)
|
||||
}
|
||||
|
||||
func (p *AWS) readURLv1(url string) (*http.Response, error) {
|
||||
client := http.Client{}
|
||||
|
||||
req, err := http.NewRequest(http.MethodGet, url, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (p *AWS) readURLv2(url string) (*http.Response, error) {
|
||||
client := http.Client{}
|
||||
|
||||
// first get the token
|
||||
req, err := http.NewRequest(http.MethodPut, p.config.tokenURL, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Header.Set(awsMetadataTokenTTLHeader, p.config.tokenTTL)
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode >= 400 {
|
||||
return nil, fmt.Errorf("Request for API token returned non-successful status code %d", resp.StatusCode)
|
||||
}
|
||||
token, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// now make the request
|
||||
req, err = http.NewRequest(http.MethodGet, url, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Header.Set(awsMetadataTokenHeader, string(token))
|
||||
resp, err = client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (p *AWS) readResponseBody(resp *http.Response) ([]byte, error) {
|
||||
defer resp.Body.Close()
|
||||
b, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -104,36 +104,42 @@ func TestAWS_GetIdentityToken(t *testing.T) {
|
|||
p2.Accounts = p1.Accounts
|
||||
p2.config.identityURL = srv.URL + "/bad-document"
|
||||
p2.config.signatureURL = p1.config.signatureURL
|
||||
p2.config.tokenURL = p1.config.tokenURL
|
||||
|
||||
p3, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
p3.Accounts = p1.Accounts
|
||||
p3.config.signatureURL = srv.URL
|
||||
p3.config.identityURL = p1.config.identityURL
|
||||
p3.config.tokenURL = p1.config.tokenURL
|
||||
|
||||
p4, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
p4.Accounts = p1.Accounts
|
||||
p4.config.signatureURL = srv.URL + "/bad-signature"
|
||||
p4.config.identityURL = p1.config.identityURL
|
||||
p4.config.tokenURL = p1.config.tokenURL
|
||||
|
||||
p5, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
p5.Accounts = p1.Accounts
|
||||
p5.config.identityURL = "https://1234.1234.1234.1234"
|
||||
p5.config.signatureURL = p1.config.signatureURL
|
||||
p5.config.tokenURL = p1.config.tokenURL
|
||||
|
||||
p6, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
p6.Accounts = p1.Accounts
|
||||
p6.config.identityURL = p1.config.identityURL
|
||||
p6.config.signatureURL = "https://1234.1234.1234.1234"
|
||||
p6.config.tokenURL = p1.config.tokenURL
|
||||
|
||||
p7, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
p7.Accounts = p1.Accounts
|
||||
p7.config.identityURL = srv.URL + "/bad-json"
|
||||
p7.config.signatureURL = p1.config.signatureURL
|
||||
p7.config.tokenURL = p1.config.tokenURL
|
||||
|
||||
caURL := "https://ca.smallstep.com"
|
||||
u, err := url.Parse(caURL)
|
||||
|
|
|
@ -412,10 +412,13 @@ func generateAWS() (*AWS, error) {
|
|||
Name: name,
|
||||
Accounts: []string{accountID},
|
||||
Claims: &globalProvisionerClaims,
|
||||
IMDSVersions: []string{"v2", "v1"},
|
||||
claimer: claimer,
|
||||
config: &awsConfig{
|
||||
identityURL: awsIdentityURL,
|
||||
signatureURL: awsSignatureURL,
|
||||
tokenURL: awsAPITokenURL,
|
||||
tokenTTL: awsAPITokenTTL,
|
||||
certificate: cert,
|
||||
signatureAlgorithm: awsSignatureAlgorithm,
|
||||
},
|
||||
|
@ -457,12 +460,25 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
|
|||
if err != nil {
|
||||
return nil, nil, errors.Wrap(err, "error signing document")
|
||||
}
|
||||
token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.URL.Path {
|
||||
case "/latest/dynamic/instance-identity/document":
|
||||
// check for API token
|
||||
if r.Header.Get("X-aws-ec2-metadata-token") != token {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
w.Write([]byte("401 Unauthorized"))
|
||||
}
|
||||
w.Write(doc)
|
||||
case "/latest/dynamic/instance-identity/signature":
|
||||
// check for API token
|
||||
if r.Header.Get("X-aws-ec2-metadata-token") != token {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
w.Write([]byte("401 Unauthorized"))
|
||||
}
|
||||
w.Write([]byte(base64.StdEncoding.EncodeToString(signature)))
|
||||
case "/latest/api/token":
|
||||
w.Write([]byte(token))
|
||||
case "/bad-document":
|
||||
w.Write([]byte("{}"))
|
||||
case "/bad-signature":
|
||||
|
@ -475,6 +491,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
|
|||
}))
|
||||
aws.config.identityURL = srv.URL + "/latest/dynamic/instance-identity/document"
|
||||
aws.config.signatureURL = srv.URL + "/latest/dynamic/instance-identity/signature"
|
||||
aws.config.tokenURL = srv.URL + "/latest/api/token"
|
||||
return aws, srv, nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue