host-identity 1.1.1

Stable, collision-resistant host identity resolution across platforms, container runtimes, cloud providers, and Kubernetes
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

//! Shared plumbing for cloud-metadata identity sources.
//!
//! Every plaintext-body provider (every one except AWS, which has a
//! two-step token dance) follows the same shape: one GET to a link-local
//! or private-DNS endpoint, with zero or more provider-specific headers,
//! returning a plaintext instance identifier. That shape is expressed once
//! here as [`CloudMetadata<E, T>`], parameterised by a [`CloudEndpoint`]
//! type that carries the URL, headers, source kind, and `Debug` label.
//!
//! # Identity scope
//!
//! Every source built on [`CloudMetadata`] returns a **per-instance**
//! identifier — the ID the cloud provider assigned to the underlying
//! VM. That ID is shared by every process on that VM, including every
//! container. Placing a cloud source ahead of a per-container or
//! per-pod source in a chain will collapse every container on a given
//! host onto one ID. The built-in `Resolver::with_network_defaults`
//! places Kubernetes pod UID and `ContainerId` above the cloud
//! sources for exactly this reason; custom chains should preserve
//! that ordering. See `docs/algorithm.md` → "Identity scope" for the
//! full discussion.
//!
//! # Transport requirements (security)
//!
//! Every source built on [`CloudMetadata`] contacts a link-local or
//! private-DNS endpoint that answers only on the specific cloud provider.
//! To avoid exfiltrating provider-specific headers (e.g. Azure's
//! `Metadata: true` fingerprint) or the request path, transports MUST:
//!
//! - refuse to follow HTTP redirects; a compromised or misconfigured
//!   endpoint returning a 3xx to an attacker-controlled host would
//!   forward those headers off the cloud;
//! - enforce a short per-request timeout (single-digit seconds). Off-
//!   cloud hosts never answer these endpoints, so the timeout directly
//!   bounds resolver latency when a source has no path to its endpoint.

use std::marker::PhantomData;

use crate::error::Error;
use crate::source::{Probe, Source, SourceKind};
use crate::sources::util::{normalize, trim_trailing_slashes};
use crate::transport::HttpTransport;

/// Provider-specific constants for a plaintext metadata endpoint.
///
/// One zero-sized type per provider. Keeps the wire details next to the
/// provider and out of the generic [`CloudMetadata`] impl.
pub trait CloudEndpoint: Send + Sync + 'static {
    /// Short struct name used in `Debug` output. Keeps
    /// `format!("{:?}", GcpMetadata)` readable rather than leaking
    /// `CloudMetadata<GcpEndpoint, _>`.
    const DEBUG_NAME: &'static str;
    /// Default endpoint base URL.
    const DEFAULT_BASE_URL: &'static str;
    /// Path (and any query string) appended to the base URL.
    const PATH: &'static str;
    /// [`SourceKind`] label for the resolved probe.
    const KIND: SourceKind;

    /// Provider-required headers. Return `&[]` when none are needed.
    fn headers() -> &'static [(&'static str, &'static str)];
}

/// Generic cloud-metadata source over a transport and an endpoint descriptor.
pub struct CloudMetadata<E, T> {
    transport: T,
    base_url: String,
    _endpoint: PhantomData<fn() -> E>,
}

impl<E: CloudEndpoint, T> CloudMetadata<E, T> {
    /// Use the endpoint's default base URL.
    pub fn new(transport: T) -> Self {
        Self::with_base_url(transport, E::DEFAULT_BASE_URL)
    }

    /// Use a caller-supplied base URL (tests, proxies).
    ///
    /// Any trailing `/` is trimmed so that concatenation with the
    /// endpoint's leading-slash path never produces `//`.
    pub fn with_base_url(transport: T, base_url: impl Into<String>) -> Self {
        Self {
            transport,
            base_url: trim_trailing_slashes(base_url),
            _endpoint: PhantomData,
        }
    }
}

impl<E: CloudEndpoint, T> std::fmt::Debug for CloudMetadata<E, T> {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct(E::DEBUG_NAME)
            .field("base_url", &self.base_url)
            .finish_non_exhaustive()
    }
}

impl<E: CloudEndpoint, T: HttpTransport + 'static> Source for CloudMetadata<E, T> {
    fn kind(&self) -> SourceKind {
        E::KIND
    }

    fn probe(&self) -> Result<Option<Probe>, Error> {
        let url = format!("{}{}", self.base_url, E::PATH);
        let body = fetch_plaintext_id(&self.transport, &url, E::KIND, E::headers());
        Ok(body
            .as_deref()
            .and_then(normalize)
            .map(|v| Probe::new(E::KIND, v)))
    }
}

/// Issue a single `GET` and return the body as a UTF-8 string if the
/// response is 2xx. Transport errors and non-2xx responses produce `None`
/// so the resolver can fall through to the next source when the host is
/// clearly not on this provider.
fn fetch_plaintext_id<T: HttpTransport>(
    transport: &T,
    url: &str,
    kind: SourceKind,
    headers: &[(&str, &str)],
) -> Option<String> {
    let mut builder = http::Request::builder().method(http::Method::GET).uri(url);
    for (name, value) in headers {
        builder = builder.header(*name, *value);
    }
    let request = builder.body(Vec::new()).ok()?;
    let response = transport.send(request).ok()?;
    if !response.status().is_success() {
        // Log the source kind and status, not the URL — future endpoints
        // may interpolate tokens or other sensitive data into the path.
        log::debug!("{kind}: endpoint returned {}", response.status());
        return None;
    }
    std::str::from_utf8(response.body()).ok().map(str::to_owned)
}

#[cfg(test)]
pub(crate) mod test_support {
    //! Canned-response `HttpTransport` used by every cloud-source test.

    use std::collections::VecDeque;
    use std::convert::Infallible;
    use std::sync::{Arc, Mutex};

    use crate::transport::HttpTransport;

    pub(crate) struct StubTransport {
        inner: Mutex<Inner>,
    }

    struct Inner {
        responses: VecDeque<http::Response<Vec<u8>>>,
        requests: Vec<(http::Method, http::Uri, http::HeaderMap)>,
    }

    impl StubTransport {
        pub(crate) fn new(responses: Vec<http::Response<Vec<u8>>>) -> Self {
            Self {
                inner: Mutex::new(Inner {
                    responses: responses.into(),
                    requests: Vec::new(),
                }),
            }
        }

        pub(crate) fn requests(&self) -> Vec<(http::Method, http::Uri, http::HeaderMap)> {
            self.inner.lock().unwrap().requests.clone()
        }

        /// Build a shared stub and an owned transport closure wired to it.
        /// Tests use the returned `Arc` to assert on captured requests after
        /// the source has been dropped.
        pub(crate) fn shared(
            responses: Vec<http::Response<Vec<u8>>>,
        ) -> (Arc<Self>, impl HttpTransport + 'static) {
            let stub = Arc::new(Self::new(responses));
            let handle = Arc::clone(&stub);
            let transport = move |req: http::Request<Vec<u8>>| handle.send(req);
            (stub, transport)
        }
    }

    impl HttpTransport for StubTransport {
        type Error = Infallible;
        fn send(
            &self,
            request: http::Request<Vec<u8>>,
        ) -> Result<http::Response<Vec<u8>>, Self::Error> {
            let mut guard = self.inner.lock().unwrap();
            let response = guard
                .responses
                .pop_front()
                .expect("stub transport ran out of canned responses");
            guard.requests.push((
                request.method().clone(),
                request.uri().clone(),
                request.headers().clone(),
            ));
            Ok(response)
        }
    }

    pub(crate) fn ok(body: &str) -> http::Response<Vec<u8>> {
        http::Response::builder()
            .status(http::StatusCode::OK)
            .body(body.as_bytes().to_vec())
            .unwrap()
    }

    pub(crate) fn status(code: u16) -> http::Response<Vec<u8>> {
        http::Response::builder()
            .status(code)
            .body(Vec::new())
            .unwrap()
    }
}