metadata server: redirect security-credentials when no trailing slash (uswitch#121)

* metadata server: redirect security-credentials when no trailing slash
* aws metadata api uses a permanent redirect so we use the same

Author: pingles

pkg/aws/metadata/handler_role_name.go

@@ -22,6 +22,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/uswitch/kiam/pkg/server"
 	"net/http"
+	"net/url"
 	"time"
 )
 
@@ -30,10 +31,22 @@ type roleHandler struct {
 	clientIP clientIPFunc
 }
 
+func trailingSlashSuffixRedirectHandler(rw http.ResponseWriter, req *http.Request) {
+	u, err := url.Parse(req.URL.String())
+	if err != nil {
+		log.Errorf("error parsing uri: %s", err)
+		http.Error(rw, "error parsing uri", http.StatusInternalServerError)
+		return
+	}
+
+	u.Path = fmt.Sprintf("%s/", u.Path)
+	http.Redirect(rw, req, u.String(), http.StatusPermanentRedirect)
+}
+
 func (h *roleHandler) Install(router *mux.Router) {
 	handler := adapt(withMeter("roleName", h))
-	router.Handle("/{version}/meta-data/iam/security-credentials", handler)
 	router.Handle("/{version}/meta-data/iam/security-credentials/", handler)
+	router.HandleFunc("/{version}/meta-data/iam/security-credentials", trailingSlashSuffixRedirectHandler)
 }
 
 func (h *roleHandler) Handle(ctx context.Context, w http.ResponseWriter, req *http.Request) (int, error) {

pkg/aws/metadata/handler_role_name_test.go

@@ -12,6 +12,18 @@ import (
 	"time"
 )
 
+func TestRedirectsToCanonicalPath(t *testing.T) {
+	r, _ := http.NewRequest("GET", "/latest/meta-data/iam/security-credentials", nil)
+	rr := httptest.NewRecorder()
+
+	handler := newHandler(nil)
+	handler.ServeHTTP(rr, r)
+
+	if rr.Code != http.StatusPermanentRedirect {
+		t.Error("expected redirect, was", rr.Code)
+	}
+}
+
 func TestReturnRoleWhenClientResponds(t *testing.T) {
 	r, _ := http.NewRequest("GET", "/latest/meta-data/iam/security-credentials/", nil)
 	rr := httptest.NewRecorder()