Support IMDSv2 #552
Support IMDSv2 #552
Conversation
|
Hi @jornfranke thanks for the PR, can you create a unit test for this. |
paws.common/R/config.R
Outdated
| metadata_url <- file.path( | ||
| "http://169.254.169.254/latest/meta-data", | ||
| query_path | ||
| ) | ||
| if (!(token=="")) { |
There was a problem hiding this comment.
Shouldn't we use token != "" ?
paws.common/R/config.R
Outdated
| "http://169.254.169.254/latest/api/token" | ||
| ) | ||
| metadata_token_request <- | ||
| new_http_request("PUT", metadata_token_url, timeout = 1, header=c("X-aws-ec2-metadata-token-ttl-seconds"= tokentimeout)) |
There was a problem hiding this comment.
Doesn't this exceed 80 characters? We haven't set up an lint just yet, however if you could update this to multiple lines that would be perfect :D something like
metadata_token_request <- new_http_request(
"PUT",
metadata_token_url,
timeout = 1,
header=c("X-aws-ec2-metadata-token-ttl-seconds"= tokentimeout)
)
| metadata_token_url <- file.path( | ||
| "http://169.254.169.254/latest/api/token" | ||
| ) |
There was a problem hiding this comment.
small thing, do we need file.path for just assigning a character :)
There was a problem hiding this comment.
This was taken over from the previous function - I just kept it the same to avoid inconsistencies as much as possible.
paws.common/R/config.R
Outdated
| NULL | ||
| } | ||
| ) | ||
| if (!((is.null(metadata_token_response) && metadata_token_response$status_code != 200))) { |
There was a problem hiding this comment.
Another small thing, isn't there 1 too many brackets? wouldn't something like this do?
if (!(is.null(metadata_token_response) && metadata_token_response$status_code != 200))
There was a problem hiding this comment.
yes you are right, it is a mistake
| @@ -55,7 +55,7 @@ HttpResponse <- struct( | |||
| # @param close Whether to immediately close the connection, or else reuse connections. | |||
| # @param timeout How long to wait for an initial response. | |||
| # @param dest Control where the response body is written | |||
| new_http_request <- function(method, url, body = NULL, close = FALSE, timeout = NULL, dest = NULL) { | |||
| new_http_request <- function(method, url, body = NULL, close = FALSE, timeout = NULL, dest = NULL, header = list()) { | |||
There was a problem hiding this comment.
I believe we are missing the corresponding documentation for header
@param header blah blah
Do you mind updating the documentation for this? I believe you will need to run roxygen2 to create the doc for it.
There was a problem hiding this comment.
yes of course - this one slipped through
|
@davidkretch when you have time do you have anything extra to add to this PR? |
|
thanks a lot for the detailed and fast review. All valid, will adapt it as soon as possible. |
It makes sense, but we do merely integration with the new IMDSv2 API. So we would need to create a mock IMDSv2 service and then write the test cases. I have not found one test for the previous IMDSv1 call (https://github.com/paws-r/paws/blob/main/paws.common/tests/testthat/test_config.R). Can you point me to one? Otherwise I propose to create a new issue for the integration test of IMDS (for both versions) as this probably is a bigger effort than providing the feature. Nevertheless, maybe you have already integration tests for other HTTP services used in paws? For now I did only test manually the integration using AWS Sagemaker Notebooks with IMDSv1 enforced. The library without the change does not work there. Only after adding IMDSv2 supprot it works. Let me know. |
Have you considered a mock test? so we can stud the api call? I am happy to look into it if you haven't done mock testing before :) |
|
no problem to create a mocktest. Do you have a preferred framework or so? Then I can use the preferred framework. I did not want create too many changes in paws as I am new to the paws code. |
|
Ok, I will try with mockery (for the reason that it seems to be more frequently maintained and have more contributors). I have to think about where I put the mock (probably I will mock the function new_http_request) and integrate mockery in paws. It will take a bit of time, but should not be too much. |
|
no worries :) if you need any help please feel free to reach out :) |
|
@jornfranke the first thing i should of asked is. Is this done in the other aws sdk? :P I went straight into dev mode without asking (my bad hahaha). |
not sure what you mean by "is this done in the other aws sdk"? |
|
I incorporated your comments. I also added two tests: one for the original functionality (that I did not implement) for IMDSv1 and one for the additional functionality (IMDSv2) that I implemented. Please let me know your feedback |
|
Btw.: Here you find how they do it in the official AWS Python SDK: https://github.com/boto/botocore/blob/master/botocore/utils.py#L372 I think it is roughly comparable how it is done for what I have implemented |
paws.common/R/config.R
Outdated
| @@ -182,14 +182,41 @@ get_instance_metadata <- function(query_path = "") { | |||
| if (trimws(tolower(get_env("AWS_EC2_METADATA_DISABLED"))) %in% c("true", "1")) { | |||
| return(NULL) | |||
| } | |||
| # Get token timeout for IMDSv2 tokens | |||
| tokentimeout=trimws(tolower(get_env("PAWS_EC2_IMDSV2_TOKEN_TIMEOUT_SECONDS"))) | |||
There was a problem hiding this comment.
can we change the assigning from = to <- :)
There was a problem hiding this comment.
I understand this gives us extra flexibility to the user however it seems botocore is using a private attribute: https://github.com/boto/botocore/blob/master/botocore/utils.py#L376. Should we do the same? :)
There was a problem hiding this comment.
yes we can do the same, maybe we should not be more clever than AWS :) I will change it
paws.common/R/config.R
Outdated
| # Get token timeout for IMDSv2 tokens | ||
| tokentimeout=trimws(tolower(get_env("PAWS_EC2_IMDSV2_TOKEN_TIMEOUT_SECONDS"))) | ||
| if (is.na(as.numeric(tokentimeout))) { | ||
| tokentimeout="30" |
There was a problem hiding this comment.
Shouldn't we try and mimic what is being done in botocore? and use '21600' as our token timeout? https://github.com/boto/botocore/blob/master/botocore/utils.py#L376
There was a problem hiding this comment.
yes same as above. I will change it
paws.common/R/config.R
Outdated
|
|
||
| # Get token timeout for IMDSv2 tokens | ||
| tokentimeout=trimws(tolower(get_env("PAWS_EC2_IMDSV2_TOKEN_TIMEOUT_SECONDS"))) | ||
| if (is.na(as.numeric(tokentimeout))) { |
There was a problem hiding this comment.
NIT: this can be simplified to !nzchar(tokentimeout)
There was a problem hiding this comment.
will be anyway removed with the change above
|
thanks for the review so far. I have included the latest proposals |
Codecov ReportBase: 81.82% // Head: 82.00% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #552 +/- ##
==========================================
+ Coverage 81.82% 82.00% +0.18%
==========================================
Files 122 122
Lines 6983 7087 +104
==========================================
+ Hits 5714 5812 +98
- Misses 1269 1275 +6
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
|
looks good to me, just had one question about forcing use of v2 only. |
|
@davidkretch is there anything else required? I think we are in a good place :) |
|
@DyfanJones looks good to me :-) |
|
I saw that after the merge one of the pipelines failed (the two others went through): It does not look directly related to the added code to me, but let me know if I can support troubleshooting |
|
@jornfranke not to worry, retry of the failed job seemed to fix it. Thank you again for pr. Please feel free to pr in the future. We always are grateful for all prs as they really do help in the maintanence and development of paws :) |
Support IDMSv2.
Tested with Sagemaker Notebooks with IMDSv2 enforced.
Configuration:
Optionally, set the environment variable "PAWS_EC2_IMDSV2_TOKEN_TIMEOUT_SECONDS" to the number of seconds after which the token should expire. The default (30 seconds) should be sufficient for nearly all use casesno configuration we use the same method as in boto3Solves: #441