public void AddMetadataGetSecurityCredentialsResponse( IAMSecurityCredentialMetadata metadata, string token, HttpStatusCode statusCode = HttpStatusCode.OK) { AddMetadataGenericResponse(JsonMapper.ToJson(metadata), token, statusCode); }
public void StaticStabilityWhenIMDSExperiencesAnOutageScenarioTest() { var currentTime = new DateTime(1997, 8, 29, 16, 20, 0); var token = "ValidToken"; var profileMetadata = new IAMInstanceProfileMetadata { InstanceProfileArn = "profile_arn", InstanceProfileId = "profile_id" }; var validCredentialMetadata = new IAMSecurityCredentialMetadata { AccessKeyId = "value1", SecretAccessKey = "secret1", Expiration = currentTime.AddMinutes(75) }; var expiredCredentialMetadata = new IAMSecurityCredentialMetadata { AccessKeyId = "expired", SecretAccessKey = "expired", Expiration = currentTime.Subtract(TimeSpan.FromMinutes(5)) }; var validCredentialMetadata2 = new IAMSecurityCredentialMetadata { AccessKeyId = "value2", SecretAccessKey = "secret2", Expiration = currentTime.AddHours(6) }; using (new AWSConfigsDateFaker(() => currentTime.ToUniversalTime())) using (var imdsServlet = new EC2InstanceMetadataServlet()) { var instanceProfileAwsCredentials = new InstanceProfileAWSCredentials( // use a dummy role so InstanceProfileAWSCredentials doesn't try and call imds server to resolve role role: "dummyRole", proxy: null); // EXPIRED TEST 1 & 2 - can use IMDS provider if first IMDS call returns expired creds // Given IMDS service immediately returns an expired credential imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(expiredCredentialMetadata, token); // When InstanceProfileAWSCredentials returns a Credential var expiredInitialCreds = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is valid and be used to call a Service AssertAreEqual(expiredCredentialMetadata, expiredInitialCreds); // REFRESH TEST 2/LOGGING TEST - Can send a request after receiving a 500 // Given 20 minutes has passed (expired credential cache time is up to 15 minutes) currentTime += TimeSpan.FromMinutes(20); // Given the IMDS service is running normally imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(validCredentialMetadata, token); // When InstanceProfileAWSCredentials returns a Credential var initialCreds = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is valid and be used to call a Service AssertAreEqual(validCredentialMetadata, initialCreds); // Given 1 hour has passed (default credential cache time is 1 hour) currentTime += TimeSpan.FromMinutes(65); // And the IMDS service returns 5xx error imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGenericResponse(contents: "", token: token, HttpStatusCode.ServiceUnavailable); // When InstanceProfileAWSCredentials returns the previously valid Credential var badCreds = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is the previously valid Credential and can be used to call a Service AssertAreEqual(validCredentialMetadata, badCreds); // And there is a log message that an expired credential is being used // Given 90 minutes has passed (credential cache time is up to 60 minutes) currentTime += TimeSpan.FromMinutes(90); // And the IMDS service is running normally (again) imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(validCredentialMetadata2, token); // When InstanceProfileAWSCredentials returns a Credential var goodCreds2 = instanceProfileAwsCredentials.GetCredentials(); // Then the Credential is valid and be used to call a Service AssertAreEqual(validCredentialMetadata2, goodCreds2); // EXPIRED TEST 3 - Can perform 3 successive requests with expired credentials. IMDS must only be called once. // Given IMDS service immediately returns an expired credential imdsServlet.AddTokenFetchResponse(token); imdsServlet.AddMetadataSecurityInfoResponse(profileMetadata, token); imdsServlet.AddMetadataGetSecurityCredentialsResponse(expiredCredentialMetadata, token); // When InstanceProfileAWSCredentials returns a Credential var creds1 = instanceProfileAwsCredentials.GetCredentials(); // And InstanceProfileAWSCredentials returns a Credential var creds2 = instanceProfileAwsCredentials.GetCredentials(); // And InstanceProfileAWSCredentials returns a Credential var creds3 = instanceProfileAwsCredentials.GetCredentials(); // Then IMDS is only called once // (imdsServlet would have thrown an exception if an additional call was made) } }
private void AssertAreEqual(IAMSecurityCredentialMetadata metadata, ImmutableCredentials creds) { Assert.AreEqual(metadata.AccessKeyId, creds.AccessKey); Assert.AreEqual(metadata.SecretAccessKey, creds.SecretKey); Assert.AreEqual(metadata.Token ?? "", creds.Token ?? ""); }