From 340879e05b8f505de0b556b86bcdf55fbe6869ad Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Thu, 24 Oct 2024 14:41:31 +0100 Subject: [PATCH] fix: enable node-fips compatible body checksums for S3 --- packages/@aws-cdk/integ-runner/package.json | 3 +- packages/aws-cdk/lib/api/aws-auth/sdk.ts | 13 ++++++- packages/aws-cdk/package.json | 2 +- yarn.lock | 38 +++++---------------- 4 files changed, 23 insertions(+), 33 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index fef13773ed7aa..5ab742258adbd 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -74,9 +74,8 @@ "@aws-cdk/cloud-assembly-schema": "^38.0.0", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "cdk-assets": "^2.154.0", + "cdk-assets": "^2.155.17", "@aws-cdk/aws-service-spec": "^0.1.29", - "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", "chalk": "^4", diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index 6a78965620c01..fab6d1d3ce4b0 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -174,7 +174,18 @@ export class SDK implements ISDK { } public s3(): AWS.S3 { - return this.wrapServiceErrorHandling(new AWS.S3(this.config)); + return this.wrapServiceErrorHandling(new AWS.S3({ + // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. + // However by default the S3 client is using an MD5 checksum for content integrity checking. + // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use), + // in practice it is just easier to use an allowed checksum mechanism. + // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. + // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior + // of the AWS SDKv3 and is a safe choice for all users. + s3DisableBodySigning: false, + computeChecksums: false, + ...this.config, + })); } public route53(): AWS.Route53 { diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 506da385ff312..202ac715eb2bb 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -104,7 +104,7 @@ "archiver": "^5.3.2", "aws-sdk": "^2.1691.0", "camelcase": "^6.3.0", - "cdk-assets": "^2.155.0", + "cdk-assets": "^2.155.17", "cdk-from-cfn": "^0.162.0", "chalk": "^4", "chokidar": "^3.6.0", diff --git a/yarn.lock b/yarn.lock index a14ce1ed93150..f5c2805c1038d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -67,17 +67,10 @@ jsonschema "^1.4.1" semver "^7.6.3" -"@aws-cdk/cx-api@^2.158.0": - version "2.159.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094" - integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w== - dependencies: - semver "^7.6.3" - -"@aws-cdk/cx-api@^2.160.0": - version "2.160.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59" - integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw== +"@aws-cdk/cx-api@^2.163.1": + version "2.163.1" + resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e" + integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w== dependencies: semver "^7.6.3" @@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3: resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9" integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ== -cdk-assets@^2.154.0: - version "2.154.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead" - integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw== - dependencies: - "@aws-cdk/cloud-assembly-schema" "^38.0.0" - "@aws-cdk/cx-api" "^2.158.0" - archiver "^5.3.2" - aws-sdk "^2.1691.0" - glob "^7.2.3" - mime "^2.6.0" - yargs "^16.2.0" - -cdk-assets@^2.155.0: - version "2.155.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf" - integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA== +cdk-assets@^2.155.17: + version "2.155.17" + resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5" + integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA== dependencies: "@aws-cdk/cloud-assembly-schema" "^38.0.1" - "@aws-cdk/cx-api" "^2.160.0" + "@aws-cdk/cx-api" "^2.163.1" archiver "^5.3.2" aws-sdk "^2.1691.0" glob "^7.2.3"