archive/ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2025-08-15 13:39:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

[rubygems/rubygems] Use IMDSv2 for S3 instance credentials

Browse source 
fa1c51ef59
This commit is contained in:
Frank Olbricht 2024-06-01 10:57:06 +02:00 committed by Hiroshi SHIBATA
parent 9c0ebff2cd
commit 8691a4ada1
No known key found for this signature in database
GPG key ID: F9CF13417264FAC2
1 changed files with 24 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

29
lib/rubygems/s3_uri_signer.rb
View file

@ -146,18 +146,20 @@ class Gem::S3URISigner
require_relative "request"
require_relative "request/connection_pools"
require "json"
iam_info = ec2_metadata_request(EC2_IAM_INFO)
token = ec2_metadata_token
iam_info = ec2_metadata_request(EC2_IAM_INFO, token)
# Expected format: arn:aws:iam::<id>:instance-profile/<role_name>
role_name = iam_info["InstanceProfileArn"].split("/").last
ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name)
ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name, token)
end
def ec2_metadata_request(url)
def ec2_metadata_request(url, token)
uri = Gem::URI(url)
@request_pool ||= create_request_pool(uri)
request = Gem::Request.new(uri, Gem::Net::HTTP::Get, nil, @request_pool)
response = request.fetch
response = request.fetch do |req|
req.add_field "X-aws-ec2-metadata-token", token
end
case response
when Gem::Net::HTTPOK then
@ -167,6 +169,22 @@ class Gem::S3URISigner
end
end
def ec2_metadata_token
uri = Gem::URI(EC2_IAM_TOKEN)
@request_pool ||= create_request_pool(uri)
request = Gem::Request.new(uri, Gem::Net::HTTP::Put, nil, @request_pool)
response = request.fetch do |req|
req.add_field "X-aws-ec2-metadata-token-ttl-seconds", 60
end
case response
when Gem::Net::HTTPOK then
response.body
else
raise InstanceProfileError.new("Unable to fetch AWS metadata from #{uri}: #{response.message} #{response.code}")
end
end
def create_request_pool(uri)
proxy_uri = Gem::Request.proxy_uri(Gem::Request.get_proxy_from_env(uri.scheme))
certs = Gem::Request.get_cert_files
@ -174,6 +192,7 @@ class Gem::S3URISigner
end
BASE64_URI_TRANSLATE = { "+" => "%2B", "/" => "%2F", "=" => "%3D", "\n" => "" }.freeze
EC2_IAM_TOKEN = "http://169.254.169.254/latest/api/token"
EC2_IAM_INFO = "http://169.254.169.254/latest/meta-data/iam/info"
EC2_IAM_SECURITY_CREDENTIALS = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
end