schnauzer: set FIPS ECR registry endpoint if in FIPS mode

Extend the ecr-prefix helper to automatically set ECR registry endpoint to its FIPS equivalent if both in a FIPS supported region and running on a FIPS enabled variant. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
bottlerocket-os · Oct 21, 2024 · 67407ab · 67407ab
1 parent d3c9f83
commit 67407ab
Showing 1 changed file with 37 additions and 2 deletions.
diff --git a/sources/api/schnauzer/src/helpers/mod.rs b/sources/api/schnauzer/src/helpers/mod.rs
@@ -16,7 +16,7 @@ use serde_plain::derive_fromstr_from_deserialize;
 use settings_extension_oci_defaults::OciDefaultsResourceLimitV1;
 use snafu::{OptionExt, ResultExt};
 use std::borrow::Borrow;
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::convert::TryFrom;
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 use std::str::FromStr;
@@ -70,6 +70,19 @@ lazy_static! {
         m.insert("us-west-2", "328549459982");
         m
     };
+
+    /// A set to tell us which regions have FIPS support.
+    /// https://docs.aws.amazon.com/general/latest/gr/ecr.html
+    static ref FIPS_REGION_SET: HashSet<&'static str> = {
+        let mut h = HashSet::new();
+        h.insert("us-east-1");
+        h.insert("us-east-2");
+        h.insert("us-gov-east-1");
+        h.insert("us-gov-west-1");
+        h.insert("us-west-1");
+        h.insert("us-west-2");
+        h
+    };
 }
 
 /// But if there is a region that does not exist in our map (for example a new
@@ -78,6 +91,9 @@ lazy_static! {
 const ECR_FALLBACK_REGION: &str = "us-east-1";
 const ECR_FALLBACK_REGISTRY: &str = "328549459982";
 
+/// Filepath to FIPS configuration.
+const PROC_SYS_CRYPTO_FIPS_ENABLED: &str = "/proc/sys/crypto/fips_enabled";
+
 lazy_static! {
     /// A map to tell us which endpoint to pull updates from for a given region.
     static ref TUF_ENDPOINT_MAP: HashMap<&'static str, &'static str> = {
@@ -519,6 +535,14 @@ pub fn tuf_prefix(
     Ok(())
 }
 
+/// Utility function to determine if a variant is in FIPS mode based
+/// on /proc/sys/crypto/fips_enabled.
+fn fips_enabled() -> bool {
+    std::fs::read_to_string(PROC_SYS_CRYPTO_FIPS_ENABLED)
+        .map(|s| s.trim() == "1")
+        .unwrap_or(false)
+}
+
 /// The `metadata-prefix` helper is used to map an AWS region to the correct
 /// metadata location inside of the TUF repository.
 ///
@@ -1426,7 +1450,18 @@ fn ecr_registry<S: AsRef<str>>(region: S) -> String {
     match partition {
         "aws-cn" => format!("{}.dkr.ecr.{}.amazonaws.com.cn", registry_id, region),
         "aws-iso-e" => format!("{}.dkr.ecr.{}.cloud.adc-e.uk", registry_id, region),
-        _ => format!("{}.dkr.ecr.{}.amazonaws.com", registry_id, region),
+        _ => format!(
+            "{}.dkr.ecr{}.{}.amazonaws.com",
+            registry_id,
+            // Only inject the fips service endpoint if the variant is in FIPS mode and the
+            // region supports FIPS.
+            if fips_enabled() && FIPS_REGION_SET.contains(region) {
+                "-fips"
+            } else {
+                ""
+            },
+            region
+        ),
     }
 }