Improve task network config validation in Fault Injection handlers (#4676)

amogh09 · web-flow · commit bfcd1c655cc4 · 2025-06-10T10:55:52.000-07:00
diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/fault/v1/handlers/handlers.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/fault/v1/handlers/handlers.go
diff --git a/ecs-agent/tmds/handlers/fault/v1/handlers/handlers.go b/ecs-agent/tmds/handlers/fault/v1/handlers/handlers.go
@@ -1316,8 +1316,11 @@ func validateTaskNetworkConfig(taskNetworkConfig *state.TaskNetworkConfig) error
 	}
 
 	// Device name is required to inject network faults to given ENI in the task.
-	if taskNetworkConfig.NetworkNamespaces[0].NetworkInterfaces[0].DeviceName == "" {
-		return errors.New("no ENI device name in the network namespace within task network config")
+	// Verify all network interfaces have a non-empty DeviceName
+	for i, netInterface := range taskNetworkConfig.NetworkNamespaces[0].NetworkInterfaces {
+		if netInterface.DeviceName == "" {
+			return fmt.Errorf("no ENI device name for network interface %d in the network namespace within task network config", i)
+		}
 	}
 
 	return nil
diff --git a/ecs-agent/tmds/handlers/fault/v1/handlers/handlers_netconfig_test.go b/ecs-agent/tmds/handlers/fault/v1/handlers/handlers_netconfig_test.go
@@ -0,0 +1,138 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package handlers
+
+import (
+	"testing"
+
+	state "github.com/aws/amazon-ecs-agent/ecs-agent/tmds/handlers/v4/state"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateTaskNetworkConfig(t *testing.T) {
+	testCases := []struct {
+		name          string
+		config        *state.TaskNetworkConfig
+		expectedError string
+	}{
+		{
+			name:          "nil config",
+			config:        nil,
+			expectedError: "TaskNetworkConfig is empty within task metadata",
+		},
+		{
+			name:          "empty network namespaces",
+			config:        &state.TaskNetworkConfig{},
+			expectedError: "empty network namespaces within task network config",
+		},
+		{
+			name: "empty network namespace path",
+			config: &state.TaskNetworkConfig{
+				NetworkNamespaces: []*state.NetworkNamespace{{}},
+			},
+			expectedError: "no path in the network namespace within task network config",
+		},
+		{
+			name: "empty network interfaces",
+			config: &state.TaskNetworkConfig{
+				NetworkNamespaces: []*state.NetworkNamespace{
+					{
+						Path: "/proc/1234/ns/net",
+					},
+				},
+			},
+			expectedError: "empty network interfaces within task network config",
+		},
+		{
+			name: "first interface missing device name",
+			config: &state.TaskNetworkConfig{
+				NetworkNamespaces: []*state.NetworkNamespace{
+					{
+						Path: "/proc/1234/ns/net",
+						NetworkInterfaces: []*state.NetworkInterface{
+							{},
+							{
+								DeviceName: "eth1",
+							},
+						},
+					},
+				},
+			},
+			expectedError: "no ENI device name for network interface 0 in the network namespace within task network config",
+		},
+		{
+			name: "second interface missing device name",
+			config: &state.TaskNetworkConfig{
+				NetworkNamespaces: []*state.NetworkNamespace{
+					{
+						Path: "/proc/1234/ns/net",
+						NetworkInterfaces: []*state.NetworkInterface{
+							{
+								DeviceName: "eth0",
+							},
+							{},
+						},
+					},
+				},
+			},
+			expectedError: "no ENI device name for network interface 1 in the network namespace within task network config",
+		},
+		{
+			name: "valid config with single interface",
+			config: &state.TaskNetworkConfig{
+				NetworkNamespaces: []*state.NetworkNamespace{
+					{
+						Path: "/proc/1234/ns/net",
+						NetworkInterfaces: []*state.NetworkInterface{
+							{
+								DeviceName: "eth0",
+							},
+						},
+					},
+				},
+			},
+			expectedError: "",
+		},
+		{
+			name: "valid config with multiple interfaces",
+			config: &state.TaskNetworkConfig{
+				NetworkNamespaces: []*state.NetworkNamespace{
+					{
+						Path: "/proc/1234/ns/net",
+						NetworkInterfaces: []*state.NetworkInterface{
+							{
+								DeviceName: "eth0",
+							},
+							{
+								DeviceName: "eth1",
+							},
+						},
+					},
+				},
+			},
+			expectedError: "",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := validateTaskNetworkConfig(tc.config)
+			if tc.expectedError == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, tc.expectedError)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -1316,8 +1316,11 @@ func validateTaskNetworkConfig(taskNetworkConfig *state.TaskNetworkConfig) error`
`1316`	`1316`	`}`
`1317`	`1317`
`1318`	`1318`	`// Device name is required to inject network faults to given ENI in the task.`
`1319`		`- if taskNetworkConfig.NetworkNamespaces[0].NetworkInterfaces[0].DeviceName == "" {`
`1320`		`- return errors.New("no ENI device name in the network namespace within task network config")`
	`1319`	`+ // Verify all network interfaces have a non-empty DeviceName`
	`1320`	`+ for i, netInterface := range taskNetworkConfig.NetworkNamespaces[0].NetworkInterfaces {`
	`1321`	`+ if netInterface.DeviceName == "" {`
	`1322`	`+ return fmt.Errorf("no ENI device name for network interface %d in the network namespace within task network config", i)`
	`1323`	`+ }`
`1321`	`1324`	`}`
`1322`	`1325`
`1323`	`1326`	`return nil`