Use IMDSv1 by default, and fall back to IMDSv2 if necessary

b033add3 · Yuan Gao · e2fa19d0 · b033add3 · b033add3 · b033add3
Commit b033add3 authored Mar 30, 2020 by Yuan Gao
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,6 +6,12 @@ executors:
        type: string
    docker:
      - image: << parameters.image >>
+  linux:
+    parameters:
+      image:
+        type: string
+    docker:
+      - image: << parameters.image >>
 commands:
  runtest:
    steps:
@@ -23,6 +29,52 @@ commands:
          command: |
            source ~/efs-utils-virtualenv/bin/activate
            make test
+  build-deb:
+    steps:
+      - checkout
+      - run:
+          name: Repo update
+          command: |
+            apt-get update
+      - run:
+          name: Install dependencies
+          command: |
+            apt-get -y install binutils
+      - run:
+          name: Build DEB
+          command: |
+            ./build-deb.sh
+      - run:
+          name: Install package
+          command: |
+            apt-get -y install ./build/amazon-efs-utils*deb
+      - run:
+          name: Check installed successfully
+          command: |
+            mount.efs --version
+  build-rpm:
+    steps:
+      - checkout
+      - run:
+          name: Install dependencies
+          command: |
+            yum -y install rpm-build make
+      - run:
+          name: Build RPM
+          command: |
+            make rpm
+      - run:
+          name: Install package
+          command: |
+            yum -y install build/amazon-efs-utils*rpm
+      - run:
+          name: Check installed successfully
+          command: |
+            mount.efs --version
+      - run:
+          name: Check changelog
+          command: |
+            rpm -q --changelog amazon-efs-utils
 jobs:
  test:
    parameters:
@@ -33,6 +85,24 @@ jobs:
      image: << parameters.image >>
    steps:
      - runtest
+  build-deb-package:
+    parameters:
+      image:
+        type: string
+    executor:
+      name: linux
+      image: << parameters.image >>
+    steps:
+      - build-deb
+  build-rpm-package:
+    parameters:
+      image:
+        type: string
+    executor:
+      name: linux
+      image: << parameters.image >>
+    steps:
+      - build-rpm
 workflows:
  workflow:
    jobs:
@@ -53,4 +123,34 @@ workflows:
          image: circleci/python:3.4.9
      - test:
          name: python27
-          image: circleci/python:2.7.13
\ No newline at end of file
+          image: circleci/python:2.7.13
+      - build-deb-package:
+          name: ubuntu16
+          image: ubuntu:16.04
+      - build-deb-package:
+          name: ubuntu18
+          image: ubuntu:18.04
+      - build-deb-package:
+          name: debian9
+          image: debian:9
+      - build-rpm-package:
+          name: centos7
+          image: centos:centos7
+      - build-rpm-package:
+          name: amazon-linux-2
+          image: amazonlinux:2
+      - build-rpm-package:
+          name: amazon-linux
+          image: amazonlinux:1
+      - build-rpm-package:
+          name: fedora30
+          image: fedora:30
+      - build-rpm-package:
+          name: fedora31
+          image: fedora:31
+      - build-rpm-package:
+          name: fedora32
+          image: fedora:32
+      - build-rpm-package:
+          name: fedora33
+          image: fedora:33
\ No newline at end of file
--- a/config.ini
+++ b/config.ini
@@ -8,4 +8,4 @@

 [global]
 version=1.24
-release=2
+release=3
--- a/dist/amazon-efs-utils.spec
+++ b/dist/amazon-efs-utils.spec
@@ -120,6 +120,9 @@ fi
 %clean

 %changelog
+* Fri Mar 27 2020 Yuan Gao <ygaochn@amazon.com> - 1.24-3
+- Use IMDSv1 by default, and fall back to IMDSv2 if necessary
+
 * Tue Mar 10 2020 Yuan Gao <ygaochn@amazon.com> - 1.24-2
 - List which as dependency

@@ -127,7 +130,7 @@ fi
 - Enable efs-utils to source region from config file for sigv4 auth
 - Fix the issue that stunnel bin exec cannot be found in certain linux distributions

-* Tue Mar 02 2020 Yuan Gao <ygaochn@amazon.com> - 1.23-2
+* Tue Mar 03 2020 Yuan Gao <ygaochn@amazon.com> - 1.23-2
 - Support new option: netns, enable file system to mount in given network namespace
 - Support new option: awscredsuri, enable sourcing iam authorization from aws credentials relative uri
 - List openssl and util-linux as package dependency for IAM/AP authorization and command nsenter to mount file system to given network namespace
--- a/src/mount_efs/__init__.py
+++ b/src/mount_efs/__init__.py
@@ -240,14 +240,20 @@ def get_target_region(config):
 def get_region_from_instance_metadata():
    err_msg = None
    try:
-        token = get_aws_ec2_metadata_token()
        headers = {}
-        if token:
-            headers = {'X-aws-ec2-metadata-token': token}
        instance_identity = get_aws_ec2_metadata(headers)
        return instance_identity['region']
-    except (HTTPError, URLError) as e:
-        err_msg = 'Unable to reach instance metadata service at %s: status=%d' % (INSTANCE_METADATA_SERVICE_URL, e.code)
+    except HTTPError as e:
+        # 401:Unauthorized, the GET request uses an invalid token, so generate a new one
+        if e.code == 401:
+            token = get_aws_ec2_metadata_token()
+            headers = {'X-aws-ec2-metadata-token': token}
+            instance_identity = get_aws_ec2_metadata(headers)
+            return instance_identity['region']
+        err_msg = 'Unable to reach instance metadata service at %s: status=%d, reason is %s' \
+                  % (INSTANCE_METADATA_SERVICE_URL, e.code, e.reason)
+    except URLError as e:
+        err_msg = 'Unable to reach instance metadata service at %s, reason is %s' % (INSTANCE_METADATA_SERVICE_URL, e.reason)
    except ValueError as e:
        err_msg = 'Error parsing json: %s' % (e,)
    except KeyError as e:

--- a/test/mount_efs_test/test_get_target_region.py
+++ b/test/mount_efs_test/test_get_target_region.py
@@ -11,6 +11,8 @@ import json

 import pytest

+from .. import utils
+
 try:
    import ConfigParser
 except ImportError:
@@ -96,6 +98,21 @@ def test_get_target_region_without_token(mocker):
    assert 'us-east-1' == get_target_region_helper()


+def test_get_target_region_metadata_endpoint_unauthorized(mocker):
+    mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value='ABCDEFG==')
+    mocker.patch('mount_efs.urlopen', side_effect=[HTTPError('url', 401, 'Unauthorized', None, None), MockUrlLibResponse()])
+    assert 'us-east-1' == get_target_region_helper()
+
+
+# Reproduce https://github.com/aws/efs-utils/issues/46
+def test_get_target_region_token_endpoint_not_allowed(mocker):
+    get_aws_ec2_metadata_token_mock = mocker.patch('mount_efs.get_aws_ec2_metadata_token',
+                                                   side_effect=HTTPError('url', 405, 'Not allowed', None, None))
+    mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse())
+    assert 'us-east-1' == get_target_region_helper()
+    utils.assert_not_called(get_aws_ec2_metadata_token_mock)
+
+
 def test_get_target_region_py3_no_charset(mocker):
    mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value=None)
    mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=bytearray(INSTANCE_DOCUMENT, 'us-ascii')))
@@ -128,6 +145,7 @@ def test_get_target_region_config_metadata_unavailable(mocker, capsys):
    out, err = capsys.readouterr()
    assert 'Error retrieving region' in err

+
 def _test_get_target_region_error(mocker, capsys, response=None, error=None):
    mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value=None)
    if (response and error) or (not response and not error):
@@ -145,6 +163,7 @@ def _test_get_target_region_error(mocker, capsys, response=None, error=None):
    out, err = capsys.readouterr()
    assert 'Error retrieving region' in err

+
 def test_get_target_region_bad_response(mocker, capsys):
    _test_get_target_region_error(mocker, capsys, error=HTTPError('url', 400, 'Bad Request Error', None, None))