Modify and Merge http cred provider logic

aws · Aug 24, 2023 · 0be20ae · 0be20ae
1 parent d5735f7
commit 0be20ae
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 53 deletions.
diff --git a/aws/credentials/endpointcreds/provider.go b/aws/credentials/endpointcreds/provider.go
@@ -7,30 +7,37 @@
 //
 // Static credentials will never expire once they have been retrieved. The format
 // of the static credentials response:
-//    {
-//        "AccessKeyId" : "MUA...",
-//        "SecretAccessKey" : "/7PC5om....",
-//    }
+//
+//	{
+//	    "AccessKeyId" : "MUA...",
+//	    "SecretAccessKey" : "/7PC5om....",
+//	}
 //
 // Refreshable credentials will expire within the "ExpiryWindow" of the Expiration
 // value in the response. The format of the refreshable credentials response:
-//    {
-//        "AccessKeyId" : "MUA...",
-//        "SecretAccessKey" : "/7PC5om....",
-//        "Token" : "AQoDY....=",
-//        "Expiration" : "2016-02-25T06:03:31Z"
-//    }
+//
+//	{
+//	    "AccessKeyId" : "MUA...",
+//	    "SecretAccessKey" : "/7PC5om....",
+//	    "Token" : "AQoDY....=",
+//	    "Expiration" : "2016-02-25T06:03:31Z"
+//	}
 //
 // Errors should be returned in the following format and only returned with 400
 // or 500 HTTP status codes.
-//    {
-//        "code": "ErrorCode",
-//        "message": "Helpful error message."
-//    }
+//
+//	{
+//	    "code": "ErrorCode",
+//	    "message": "Helpful error message."
+//	}
 package endpointcreds
 
 import (
 	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -43,7 +50,10 @@ import (
 )
 
 // ProviderName is the name of the credentials provider.
-const ProviderName = `CredentialsEndpointProvider`
+const (
+	ProviderName               = `CredentialsEndpointProvider`
+	httpProviderAuthFileEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
+)
 
 // Provider satisfies the credentials.Provider interface, and is a client to
 // retrieve credentials from an arbitrary endpoint.
@@ -164,7 +174,22 @@ func (p *Provider) getCredentials(ctx aws.Context) (*getCredentialsOutput, error
 	req := p.Client.NewRequest(op, nil, out)
 	req.SetContext(ctx)
 	req.HTTPRequest.Header.Set("Accept", "application/json")
-	if authToken := p.AuthorizationToken; len(authToken) != 0 {
+
+	authToken := p.AuthorizationToken
+	var err error
+
+	if authFilePath := os.Getenv(httpProviderAuthFileEnvVar); authFilePath != "" {
+		var contents []byte
+		if contents, err = ioutil.ReadFile(authFilePath); err != nil {
+			return &getCredentialsOutput{}, fmt.Errorf("failed to read authorization token from %v: %v", authFilePath, err)
+		}
+		authToken = string(contents)
+	}
+
+	if strings.ContainsAny(authToken, "\r\n") {
+		return &getCredentialsOutput{}, fmt.Errorf("authorization token contains invalid newline sequence")
+	}
+	if len(authToken) != 0 {
 		req.HTTPRequest.Header.Set("Authorization", authToken)
 	}
 

diff --git a/aws/defaults/defaults.go b/aws/defaults/defaults.go
@@ -9,7 +9,6 @@ package defaults
 
 import (
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -114,7 +113,6 @@ func CredProviders(cfg *aws.Config, handlers request.Handlers) []credentials.Pro
 }
 
 const (
-	httpProviderAuthFileEnvVar      = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
 	httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN"
 	httpProviderEnvVar              = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
 	ECSContainerHost                = "169.254.170.2"
@@ -138,10 +136,11 @@ func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.P
 
 var lookupHostFn = net.LookupHost
 
-func isLoopbackHost(host string) (bool, error) {
-	ip := net.ParseIP(host)
-	if ip != nil {
-		return ip.IsLoopback(), nil
+// isAllowedHost allows host to be loopback host,ECS container host 169.254.170.2
+// and EKS container host 169.254.170.23
+func isAllowedHost(host string) (bool, error) {
+	if isHostAllowed(host) {
+		return true, nil
 	}
 
 	// Host is not an ip, perform lookup
@@ -150,21 +149,23 @@ func isLoopbackHost(host string) (bool, error) {
 		return false, err
 	}
 	for _, addr := range addrs {
-		if !net.ParseIP(addr).IsLoopback() {
+		if !isHostAllowed(addr) {
 			return false, nil
 		}
 	}
 
 	return true, nil
 }
 
-// isAllowedHost allows host to be loopback host,ECS container host 169.254.170.2
-// and EKS container host 169.254.170.23
-func isAllowedHost(host string) (bool, error) {
+func isHostAllowed(host string) bool {
 	if host == ECSContainerHost || host == EKSContainerHost {
-		return true, nil
+		return true
 	}
-	return isLoopbackHost(host)
+	ip := net.ParseIP(host)
+	if ip != nil {
+		return ip.IsLoopback()
+	}
+	return false
 }
 
 func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider {
@@ -200,34 +201,10 @@ func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string)
 }
 
 func httpCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider {
-	var authToken string
-	var errMsg string
-	var err error
-
-	if authFilePath := os.Getenv(httpProviderAuthFileEnvVar); authFilePath != "" {
-		var contents []byte
-		if contents, err = ioutil.ReadFile(authFilePath); err != nil {
-			errMsg = fmt.Sprintf("failed to read authorization token from %v: %v", authFilePath, err)
-		}
-		authToken = string(contents)
-	} else {
-		authToken = os.Getenv(httpProviderAuthorizationEnvVar)
-	}
-
-	if errMsg != "" {
-		if cfg.Logger != nil {
-			cfg.Logger.Log("Ignoring, HTTP credential provider", errMsg, err)
-		}
-		return credentials.ErrorProvider{
-			Err:          awserr.New("CredentialsEndpointError", errMsg, err),
-			ProviderName: endpointcreds.ProviderName,
-		}
-	}
-
 	return endpointcreds.NewProviderClient(cfg, handlers, u,
 		func(p *endpointcreds.Provider) {
 			p.ExpiryWindow = 5 * time.Minute
-			p.AuthorizationToken = authToken
+			p.AuthorizationToken = os.Getenv(httpProviderAuthorizationEnvVar)
 		},
 	)
 }