Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an Option to Disable v2 to v1 Fallback #218

Merged
merged 10 commits into from
Nov 16, 2023
Merged

Add an Option to Disable v2 to v1 Fallback #218

merged 10 commits into from
Nov 16, 2023

Conversation

waahm7
Copy link
Contributor

@waahm7 waahm7 commented Nov 8, 2023

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

TingDaoK
TingDaoK reviewed Nov 9, 2023
View reviewed changes
source/aws_imds_client.c Outdated
@@ -509,7 +513,8 @@ static void s_client_on_token_response(struct imds_user_data *user_data) {
* we should fall back to insecure request. Otherwise, we should use
* token in following requests.
*/
if (user_data->status_code != AWS_HTTP_STATUS_CODE_200_OK || user_data->current_result.len == 0) {
if (!user_data->ec2_metadata_v1_disabled &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to be more clear about this:

Suggested change
if (!user_data->ec2_metadata_v1_disabled &&
if (user_data->status_code != AWS_HTTP_STATUS_CODE_200_OK || user_data->current_result.len == 0) {
if (user_data->ec2_metadata_v1_disabled) {
//XXX failed to fetch creds and fallback disabled
}
else {
//XXX Fallback to retry
}
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I have refactored the code to the following.

	if(success){
	} else if(fallback disabled){
		// error out
	} else {
		fallback to v1.
	}

source/aws_imds_client.c Outdated
@@ -533,7 +538,10 @@ static void s_client_on_token_response(struct imds_user_data *user_data) {
uint64_t expire_timestamp = aws_add_u64_saturating(
current, aws_timestamp_convert(s_imds_token_ttl_secs, AWS_TIMESTAMP_SECS, AWS_TIMESTAMP_NANOS, NULL));
s_update_token_safely(
user_data->client, cursor.len == 0 ? NULL : &user_data->imds_token, cursor.len != 0, expire_timestamp);
user_data->client,
cursor.len == 0 ? NULL : &user_data->imds_token,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we checked that user_data->current_result is not empty and we have a 200, should we just error out if the cursor here is still empty?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added an assert, as it should not be empty at this point.

include/aws/auth/credentials.h
/*
* If true, fallback from v2 to v1 will be disabled for all cases
*/
bool ec2_metadata_v1_disabled;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ec2_metadata_v1_disabled, but you can still set the imds_version to V1 manually.

And, it's already part of IMDS options, I think we can skip the ec2_metadata part

Maybe v1_fallback_disabled?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ec2_metadata_v1_disabled will be used cross SDKs along with the relevant env variable.

source/aws_imds_client.c Outdated Show resolved Hide resolved
graebm
graebm approved these changes Nov 15, 2023
View reviewed changes
Copy link
Contributor

@graebm graebm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trivial-fixes, and format, and shipit

source/aws_imds_client.c Outdated Show resolved Hide resolved
source/aws_imds_client.c Outdated Show resolved Hide resolved
source/aws_imds_client.c Outdated Show resolved Hide resolved
source/aws_imds_client.c Outdated Show resolved Hide resolved
waahm7 and others added 4 commits November 15, 2023 15:49
@codecov-commenter
Copy link

codecov-commenter commented Nov 15, 2023
edited
Loading

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (71bad38) 79.61% compared to head (030456b) 79.62%.

Files Patch % Lines
source/aws_imds_client.c 88.88% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #218      +/-   ##
==========================================
+ Coverage   79.61%   79.62%   +0.01%     
==========================================
  Files          33       33              
  Lines        5773     5776       +3     
==========================================
+ Hits         4596     4599       +3     
  Misses       1177     1177

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@waahm7 waahm7 enabled auto-merge (squash) November 16, 2023 00:00
@waahm7 waahm7 merged commit 50f3e0d into main Nov 16, 2023
29 checks passed
@waahm7 waahm7 deleted the disable-v2-fallback branch November 16, 2023 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TingDaoK TingDaoK TingDaoK left review comments

@graebm graebm graebm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@waahm7 @codecov-commenter @graebm @TingDaoK