mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
44a8e10bfc
AWS recently launched a new version of the EC2 Instance Metadata Service, which is used to provide credentials to the awslogs driver when running on Amazon EC2. This new version of the IMDS adds defense-in-depth mechanisms against open firewalls, reverse proxies, and SSRF vulnerabilities and is generally an improvement over the previous version. An updated version of the AWS SDK is able to handle the both the previous version and the new version of the IMDS and functions when either is enabled. More information about IMDSv2 is available at the following links: * https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html Closes https://github.com/moby/moby/issues/40422 Signed-off-by: Samuel Karp <skarp@amazon.com>
81 lines
2 KiB
Go
81 lines
2 KiB
Go
package protocol
|
|
|
|
import (
|
|
"io"
|
|
"io/ioutil"
|
|
"net/http"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/aws/client/metadata"
|
|
"github.com/aws/aws-sdk-go/aws/request"
|
|
)
|
|
|
|
// PayloadUnmarshaler provides the interface for unmarshaling a payload's
|
|
// reader into a SDK shape.
|
|
type PayloadUnmarshaler interface {
|
|
UnmarshalPayload(io.Reader, interface{}) error
|
|
}
|
|
|
|
// HandlerPayloadUnmarshal implements the PayloadUnmarshaler from a
|
|
// HandlerList. This provides the support for unmarshaling a payload reader to
|
|
// a shape without needing a SDK request first.
|
|
type HandlerPayloadUnmarshal struct {
|
|
Unmarshalers request.HandlerList
|
|
}
|
|
|
|
// UnmarshalPayload unmarshals the io.Reader payload into the SDK shape using
|
|
// the Unmarshalers HandlerList provided. Returns an error if unable
|
|
// unmarshaling fails.
|
|
func (h HandlerPayloadUnmarshal) UnmarshalPayload(r io.Reader, v interface{}) error {
|
|
req := &request.Request{
|
|
HTTPRequest: &http.Request{},
|
|
HTTPResponse: &http.Response{
|
|
StatusCode: 200,
|
|
Header: http.Header{},
|
|
Body: ioutil.NopCloser(r),
|
|
},
|
|
Data: v,
|
|
}
|
|
|
|
h.Unmarshalers.Run(req)
|
|
|
|
return req.Error
|
|
}
|
|
|
|
// PayloadMarshaler provides the interface for marshaling a SDK shape into and
|
|
// io.Writer.
|
|
type PayloadMarshaler interface {
|
|
MarshalPayload(io.Writer, interface{}) error
|
|
}
|
|
|
|
// HandlerPayloadMarshal implements the PayloadMarshaler from a HandlerList.
|
|
// This provides support for marshaling a SDK shape into an io.Writer without
|
|
// needing a SDK request first.
|
|
type HandlerPayloadMarshal struct {
|
|
Marshalers request.HandlerList
|
|
}
|
|
|
|
// MarshalPayload marshals the SDK shape into the io.Writer using the
|
|
// Marshalers HandlerList provided. Returns an error if unable if marshal
|
|
// fails.
|
|
func (h HandlerPayloadMarshal) MarshalPayload(w io.Writer, v interface{}) error {
|
|
req := request.New(
|
|
aws.Config{},
|
|
metadata.ClientInfo{},
|
|
request.Handlers{},
|
|
nil,
|
|
&request.Operation{HTTPMethod: "PUT"},
|
|
v,
|
|
nil,
|
|
)
|
|
|
|
h.Marshalers.Run(req)
|
|
|
|
if req.Error != nil {
|
|
return req.Error
|
|
}
|
|
|
|
io.Copy(w, req.GetBody())
|
|
|
|
return nil
|
|
}
|