Add support for remote credential providers

Author: jeskew

packages/credential-provider/__mocks__/fs.ts

@@ -1,6 +1,6 @@
 interface FsModule {
-    __addMatcher: (toMatch: RegExp, toReturn: string) => void;
-    __clearMatchers: () => void;
+    __addMatcher(toMatch: RegExp, toReturn: string): void;
+    __clearMatchers(): void;
     readFile: (path: string, encoding: string, cb: Function) => void
 }
 

packages/credential-provider/__tests__/fromContainerMetadata.ts

@@ -0,0 +1,99 @@
+import {
+    ENV_CMDS_RELATIVE_URI,
+    fromContainerMetadata
+} from "../lib/fromContainerMetadata";
+import {httpGet} from "../lib/remoteProvider/httpGet";
+import {
+    fromImdsCredentials,
+    ImdsCredentials
+} from "../lib/remoteProvider/ImdsCredentials";
+import MockInstance = jest.MockInstance;
+import {RequestOptions} from "http";
+
+interface HttpGet {
+    (options: RequestOptions): Promise<Buffer>;
+}
+
+const mockHttpGet = <MockInstance<HttpGet>><any>httpGet;
+jest.mock('../lib/remoteProvider/httpGet', () => ({httpGet: jest.fn()}));
+
+const relativeUri = process.env[ENV_CMDS_RELATIVE_URI];
+
+beforeEach(() => {
+    mockHttpGet.mockReset();
+    process.env[ENV_CMDS_RELATIVE_URI] = '/relative/uri';
+});
+
+afterAll(() => {
+    process.env[ENV_CMDS_RELATIVE_URI] = relativeUri;
+});
+
+describe('fromContainerMetadata', () => {
+    const creds: ImdsCredentials = Object.freeze({
+        AccessKeyId: 'foo',
+        SecretAccessKey: 'bar',
+        Token: 'baz',
+        Expiration: new Date().toISOString(),
+    });
+
+    it(
+        'should reject the promise if the container credentials environment variable is not set',
+        async () => {
+            delete process.env[ENV_CMDS_RELATIVE_URI];
+            await fromContainerMetadata()().then(
+                () => { throw new Error('The promise should have been rejected'); },
+                () => { /* promise rejected, as expected */ }
+            );
+        }
+    );
+
+    it(
+        'should resolve credentials by fetching them from the container metadata service',
+        async () => {
+            mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+            expect(await fromContainerMetadata()())
+                .toEqual(fromImdsCredentials(creds));
+        }
+    );
+
+    it('should retry the fetching operation up to maxRetries times', async () => {
+        const maxRetries = 5;
+        for (let i = 0; i < maxRetries - 1; i++) {
+            mockHttpGet.mockReturnValueOnce(Promise.reject('No!'));
+        }
+        mockHttpGet.mockReturnValueOnce(
+            Promise.resolve(JSON.stringify(creds))
+        );
+
+        expect(await fromContainerMetadata({maxRetries})())
+            .toEqual(fromImdsCredentials(creds));
+        expect(mockHttpGet.mock.calls.length).toEqual(maxRetries);
+    });
+
+    it('should retry responses that receive invalid response values', async () => {
+        for (let key of Object.keys(creds)) {
+            const invalidCreds: any = {...creds};
+            delete invalidCreds[key];
+            mockHttpGet.mockReturnValueOnce(
+                Promise.resolve(JSON.stringify(invalidCreds))
+            );
+        }
+        mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+        await fromContainerMetadata({maxRetries: 100})();
+        expect(mockHttpGet.mock.calls.length)
+            .toEqual(Object.keys(creds).length + 1);
+    });
+
+    it('should pass relevant configuration to httpGet', async () => {
+        const timeout = Math.ceil(Math.random() * 1000);
+        mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+        await fromContainerMetadata({timeout})();
+        expect(mockHttpGet.mock.calls.length).toEqual(1);
+        expect(mockHttpGet.mock.calls[0][0]).toEqual({
+            host: '169.254.170.2',
+            path: process.env[ENV_CMDS_RELATIVE_URI],
+            timeout,
+        });
+    });
+});

packages/credential-provider/__tests__/fromInstanceMetadata.ts

@@ -0,0 +1,124 @@
+import {fromInstanceMetadata} from "../lib/fromInstanceMetadata";
+import {httpGet} from "../lib/remoteProvider/httpGet";
+import {
+    fromImdsCredentials,
+    ImdsCredentials
+} from "../lib/remoteProvider/ImdsCredentials";
+import MockInstance = jest.MockInstance;
+import {RequestOptions} from "http";
+
+interface HttpGet {
+    (options: RequestOptions): Promise<Buffer>;
+}
+
+const mockHttpGet = <MockInstance<HttpGet>><any>httpGet;
+jest.mock('../lib/remoteProvider/httpGet', () => ({httpGet: jest.fn()}));
+
+beforeEach(() => {
+    mockHttpGet.mockReset();
+});
+
+describe('fromInstanceMetadata', () => {
+    const creds: ImdsCredentials = Object.freeze({
+        AccessKeyId: 'foo',
+        SecretAccessKey: 'bar',
+        Token: 'baz',
+        Expiration: new Date().toISOString(),
+    });
+
+    it(
+        'should resolve credentials by fetching them from the container metadata service',
+        async () => {
+            mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+            expect(await fromInstanceMetadata({profile: 'foo'})())
+                .toEqual(fromImdsCredentials(creds));
+        }
+    );
+
+    it('should retry the fetching operation up to maxRetries times', async () => {
+        const maxRetries = 5;
+        for (let i = 0; i < maxRetries - 1; i++) {
+            mockHttpGet.mockReturnValueOnce(Promise.reject('No!'));
+        }
+        mockHttpGet.mockReturnValueOnce(
+            Promise.resolve(JSON.stringify(creds))
+        );
+
+        expect(await fromInstanceMetadata({maxRetries, profile: 'foo'})())
+            .toEqual(fromImdsCredentials(creds));
+        expect(mockHttpGet.mock.calls.length).toEqual(maxRetries);
+    });
+
+    it('should retry responses that receive invalid response values', async () => {
+        for (let key of Object.keys(creds)) {
+            const invalidCreds: any = {...creds};
+            delete invalidCreds[key];
+            mockHttpGet.mockReturnValueOnce(
+                Promise.resolve(JSON.stringify(invalidCreds))
+            );
+        }
+        mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+        await fromInstanceMetadata({maxRetries: 100, profile: 'foo'})();
+        expect(mockHttpGet.mock.calls.length)
+            .toEqual(Object.keys(creds).length + 1);
+    });
+
+    it('should pass relevant configuration to httpGet', async () => {
+        const timeout = Math.ceil(Math.random() * 1000);
+        const profile = 'foo-profile';
+        mockHttpGet.mockReturnValue(Promise.resolve(JSON.stringify(creds)));
+        await fromInstanceMetadata({timeout, profile})();
+        expect(mockHttpGet.mock.calls.length).toEqual(1);
+        expect(mockHttpGet.mock.calls[0][0]).toEqual({
+            host: '169.254.169.254',
+            path: `/latest/meta-data/iam/security-credentials/${profile}`,
+            timeout,
+        });
+    });
+
+    it('should fetch the profile name if not supplied', async () => {
+        const defaultTimeout = 1000;
+        const profile = 'foo-profile';
+        mockHttpGet.mockReturnValueOnce(Promise.resolve(profile));
+        mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+        await fromInstanceMetadata()();
+        expect(mockHttpGet.mock.calls.length).toEqual(2);
+        expect(mockHttpGet.mock.calls[0][0]).toEqual({
+            host: '169.254.169.254',
+            path: '/latest/meta-data/iam/security-credentials/',
+            timeout: defaultTimeout,
+        });
+        expect(mockHttpGet.mock.calls[1][0]).toEqual({
+            host: '169.254.169.254',
+            path: `/latest/meta-data/iam/security-credentials/${profile}`,
+            timeout: defaultTimeout,
+        });
+    });
+
+
+
+    it('should retry the profile name fetch as necessary', async () => {
+        const defaultTimeout = 1000;
+        const profile = 'foo-profile';
+        mockHttpGet.mockReturnValueOnce(Promise.reject('Too busy'));
+        mockHttpGet.mockReturnValueOnce(Promise.resolve(profile));
+        mockHttpGet.mockReturnValueOnce(Promise.resolve(JSON.stringify(creds)));
+
+        await fromInstanceMetadata()();
+        expect(mockHttpGet.mock.calls.length).toEqual(3);
+        expect(mockHttpGet.mock.calls[2][0]).toEqual({
+            host: '169.254.169.254',
+            path: `/latest/meta-data/iam/security-credentials/${profile}`,
+            timeout: defaultTimeout,
+        });
+        for (let index of [0, 1]) {
+            expect(mockHttpGet.mock.calls[index][0]).toEqual({
+                host: '169.254.169.254',
+                path: '/latest/meta-data/iam/security-credentials/',
+                timeout: defaultTimeout,
+            });
+        }
+    });
+});

packages/credential-provider/__tests__/remoteProvider/ImdsCredentials.ts

@@ -0,0 +1,61 @@
+import {
+    fromImdsCredentials,
+    ImdsCredentials,
+    isImdsCredentials,
+} from "../../lib/remoteProvider/ImdsCredentials";
+import {Credentials} from "../../lib/Credentials";
+
+const creds: ImdsCredentials = Object.freeze({
+    AccessKeyId: 'foo',
+    SecretAccessKey: 'bar',
+    Token: 'baz',
+    Expiration: new Date().toISOString(),
+});
+
+describe('isImdsCredentials', () => {
+    it('should accept valid ImdsCredentials objects', () => {
+        expect(isImdsCredentials(creds)).toBe(true);
+    });
+
+    it('should reject credentials without an AccessKeyId', () => {
+        expect(
+            isImdsCredentials(Object.assign({}, creds, {AccessKeyId: void 0}))
+        ).toBe(false);
+    });
+
+    it('should reject credentials without a SecretAccessKey', () => {
+        expect(
+            isImdsCredentials(Object.assign({}, creds, {SecretAccessKey: void 0}))
+        ).toBe(false);
+    });
+
+    it('should reject credentials without a Token', () => {
+        expect(
+            isImdsCredentials(Object.assign({}, creds, {Token: void 0}))
+        ).toBe(false);
+    });
+
+    it('should reject credentials without an Expiration', () => {
+        expect(
+            isImdsCredentials(Object.assign({}, creds, {Expiration: void 0}))
+        ).toBe(false);
+    });
+
+    it('should reject scalar values', () => {
+        for (let scalar of ['string', 1, true, null, void 0]) {
+            expect(isImdsCredentials(scalar)).toBe(false);
+        }
+    });
+});
+
+describe('fromImdsCredentials', () => {
+    it('should convert IMDS credentials to a credentials object', () => {
+        const converted: Credentials = fromImdsCredentials(creds);
+        expect(converted.accessKeyId).toEqual(creds.AccessKeyId);
+        expect(converted.secretKey).toEqual(creds.SecretAccessKey);
+        expect(converted.sessionToken).toEqual(creds.Token);
+        expect(converted.expiration).toEqual(
+            Math.floor((new Date(creds.Expiration).valueOf()) / 1000)
+        );
+    });
+});

packages/credential-provider/__tests__/remoteProvider/RemoteProviderInit.ts

@@ -0,0 +1,22 @@
+import {
+    DEFAULT_MAX_RETRIES,
+    DEFAULT_TIMEOUT,
+    providerConfigFromInit,
+} from "../../lib/remoteProvider/RemoteProviderInit";
+
+describe('providerConfigFromInit', () => {
+    it('should populate default values for retries and timeouts', () => {
+        expect(providerConfigFromInit({})).toEqual({
+            timeout: DEFAULT_TIMEOUT,
+            maxRetries: DEFAULT_MAX_RETRIES,
+        });
+    });
+
+    it('should pass through timeout and retries overrides', () => {
+        const timeout = 123456789;
+        const maxRetries = 987654321;
+
+        expect(providerConfigFromInit({timeout, maxRetries}))
+            .toEqual({timeout, maxRetries});
+    });
+});

packages/credential-provider/__tests__/remoteProvider/httpGet.ts

@@ -0,0 +1,68 @@
+import {createServer} from 'http';
+import {httpGet} from "../../lib/remoteProvider/httpGet";
+
+const matchers = new Map<string, string>();
+
+function addMatcher(url: string, toReturn: string): void {
+    matchers.set(url, toReturn);
+}
+
+function clearMatchers(): void {
+    matchers.clear();
+}
+
+function getOpenPort(candidatePort: number = 4321): Promise<number> {
+    return new Promise((resolve, reject) => {
+        const server = createServer();
+        server.on('error', () => reject());
+        server.listen(candidatePort);
+        server.close(() => resolve(candidatePort));
+    })
+        .catch(() => getOpenPort(candidatePort + 1));
+}
+
+let port: number;
+
+const server = createServer((request, response) => {
+    const {url = ''} = request;
+    if (matchers.has(url)) {
+        response.statusCode = 200;
+        response.end(matchers.get(url));
+    } else {
+        response.statusCode = 404;
+        response.end('Not found');
+    }
+});
+
+beforeAll(async (done) => {
+    port = await getOpenPort();
+    server.listen(port);
+    done();
+});
+
+afterAll(() => {
+    server.close();
+});
+
+beforeEach(clearMatchers);
+
+describe('httpGet', () => {
+    it('should respond with a promise fulfilled with the http response', async () => {
+        const expectedResponse = 'foo bar baz';
+        addMatcher('/', expectedResponse);
+
+        expect((await httpGet(`http://localhost:${port}/`)).toString('utf8'))
+            .toEqual(expectedResponse);
+    });
+
+    it('should reject the promise if a 404 status code is received', async () => {
+        addMatcher('/fizz', 'buzz');
+
+        await httpGet(`http://localhost:${port}/foo`).then(
+            () => { throw new Error('The promise should have been rejected'); },
+            () => { /* promise rejected, as expected */ }
+        );
+    });
+});
+
+