Copy over some stuff from previous PR

awslabs · May 7, 2024 · fde7ad1 · fde7ad1
1 parent 140652a
commit fde7ad1
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,6 +20,7 @@ jobs:
   linux-compat:
     runs-on: ubuntu-20.04 # latest
     strategy:
+      fail-fast: false
       matrix:
         image:
           - manylinux1-x64
@@ -40,6 +41,7 @@ jobs:
   linux-compiler-compat:
     runs-on: ubuntu-20.04 # latest
     strategy:
+      fail-fast: false
       matrix:
         compiler:
           - clang-3
@@ -80,6 +82,7 @@ jobs:
   windows-vc14:
     runs-on: windows-2019 # windows-2019 is last env with Visual Studio 2015 (v14.0)
     strategy:
+      fail-fast: false
       matrix:
         arch: [x86, x64]
     steps:

diff --git a/include/aws/auth/auth.h b/include/aws/auth/auth.h
@@ -52,6 +52,7 @@ enum aws_auth_errors {
     AWS_AUTH_IMDS_CLIENT_SOURCE_FAILURE,
     AWS_AUTH_PROFILE_STS_CREDENTIALS_PROVIDER_CYCLE_FAILURE,
     AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_TOKEN_FILE_PATH,
+    AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST,
 
     AWS_AUTH_ERROR_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_AUTH_PACKAGE_ID)
 };

diff --git a/source/auth.c b/source/auth.c
@@ -112,6 +112,9 @@ static struct aws_error_info s_errors[] = {
         AWS_DEFINE_ERROR_INFO_AUTH(
     AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_TOKEN_FILE_PATH,
         "Failed to read the ECS token file specified in the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable."),
+        AWS_DEFINE_ERROR_INFO_AUTH(
+    AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST,
+        "Failed to establish connection. The specified host is not allowed. It must be a loopback address, ECS/EKS container host, or use HTTPS."),
 };
 /* clang-format on */
 

diff --git a/source/credentials_provider_ecs.c b/source/credentials_provider_ecs.c
@@ -10,6 +10,7 @@
 #include <aws/common/clock.h>
 #include <aws/common/date_time.h>
 #include <aws/common/environment.h>
+#include <aws/common/host_utils.h>
 #include <aws/common/string.h>
 #include <aws/http/connection.h>
 #include <aws/http/connection_manager.h>
@@ -45,6 +46,7 @@ struct aws_credentials_provider_ecs_impl {
     struct aws_string *path_and_query;
     struct aws_string *auth_token_file_path;
     struct aws_string *auth_token;
+    bool is_https;
 };
 
 /*
@@ -459,6 +461,56 @@ static void s_ecs_on_acquire_connection(struct aws_http_connection *connection,
     s_ecs_query_task_role_credentials(ecs_user_data);
 }
 
+/*
+ *  *  The host must use either HTTPS or the resolved IP address must satisfy one of the following:
+ *   *   1. within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128)
+ *    *   2. corresponds to the ECS container host 169.254.170.2
+ *     *   3. corresponds to the EKS container host IPs (IPv4 169.254.170.23, IPv6 fd00:ec2::23)
+ *      */
+static bool s_is_valid_remote_host_ip(
+    struct aws_credentials_provider_ecs_user_data *ecs_user_data,
+    struct aws_http_connection *connection) {
+    struct aws_credentials_provider_ecs_impl *impl = ecs_user_data->ecs_provider->impl;
+
+    if (impl->is_https) {
+        return true;
+    }
+
+    bool result = false;
+
+    const struct aws_byte_cursor address =
+        aws_byte_cursor_from_c_str(aws_http_connection_get_remote_endpoint(connection)->address);
+    AWS_LOGF_INFO(
+        AWS_LS_AUTH_CREDENTIALS_PROVIDER,
+        "id=%p: the ip address of connected remove endpoint is " PRInSTR "",
+        (void *)ecs_user_data->ecs_provider,
+        AWS_BYTE_CURSOR_PRI(address));
+    if (aws_host_utils_is_ipv4(address)) {
+        const struct aws_byte_cursor ipv4_loopback_address_prefix = aws_byte_cursor_from_c_str("127.");
+        const struct aws_byte_cursor ecs_container_host_address = aws_byte_cursor_from_c_str("169.254.170.2");
+        const struct aws_byte_cursor eks_container_host_address = aws_byte_cursor_from_c_str("169.254.170.23");
+
+        result |= aws_byte_cursor_starts_with(&address, &ipv4_loopback_address_prefix);
+        result |= aws_byte_cursor_eq(&address, &ecs_container_host_address);
+        result |= aws_byte_cursor_eq(&address, &eks_container_host_address);
+
+    } else if (aws_host_utils_is_ipv6(
+                   address, false)) { /* Check for both the short form and long form of an IPv6 address to be safe. */
+        const struct aws_byte_cursor ipv6_loopback_address = aws_byte_cursor_from_c_str("::1");
+        const struct aws_byte_cursor ipv6_loopback_address_verbose = aws_byte_cursor_from_c_str("0:0:0:0:0:0:0:1");
+        const struct aws_byte_cursor eks_container_host_ipv6_address = aws_byte_cursor_from_c_str("fd00:ec2::23");
+        const struct aws_byte_cursor eks_container_host_ipv6_address_verbose =
+            aws_byte_cursor_from_c_str("fd00:ec2:0:0:0:0:0:23");
+
+        result |= aws_byte_cursor_eq(&address, &ipv6_loopback_address);
+        result |= aws_byte_cursor_eq(&address, &ipv6_loopback_address_verbose);
+        result |= aws_byte_cursor_eq(&address, &eks_container_host_ipv6_address);
+        result |= aws_byte_cursor_eq(&address, &eks_container_host_ipv6_address_verbose);
+    }
+
+    return result;
+}
+
 static int s_credentials_provider_ecs_get_credentials_async(
     struct aws_credentials_provider *provider,
     aws_on_get_credentials_callback_fn callback,
@@ -568,6 +620,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_ecs(
                 aws_error_debug_str(aws_last_error()));
             goto on_error;
         }
+        impl->is_https = true;
     }
 
     struct aws_socket_options socket_options;