Skip to content

Commit

Permalink
Merge pull request #213 from jpculp/fips
Browse files Browse the repository at this point in the history
pluto: add proxy support for FIPS
  • Loading branch information
jpculp authored Oct 28, 2024
2 parents f8a7f1e + 2e36d5a commit b609232
Show file tree
Hide file tree
Showing 16 changed files with 174 additions and 865 deletions.
8 changes: 1 addition & 7 deletions COPYRIGHT
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,6 @@ operating system images.

=^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=

Contains modified hyper-proxy files [mod.rs, stream.rs, tunnel.rs] from
https://github.com/tafia/hyper-proxy 2021-09-20.
Copyright (c) 2017 Johann Tuffe. Licensed under the MIT License.

=^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=

Contains aws-smithy-experimental from
Contains modified aws-smithy-experimental file(s) [hyper_1_0.rs] from
https://github.com/smithy-lang/smithy-rs/tree/release-2024-10-09.
Licensed under the Apache-2.0 License.
66 changes: 46 additions & 20 deletions sources/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 6 additions & 7 deletions sources/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -143,15 +143,15 @@ glob = "0.3"
gptman = { version = "1", default-features = false }
handlebars = "4"
h2 = "0.4"
headers = "0.3"
headers = "0.4"
hex-literal = "0.4"
http = "0.2"
httparse = "1"
httptest = "0.15"
hyper = { version = "0.14", default-features = false }
hyper-util = "0.1"
# FIXME: bump to 0.27 once hyper-proxy is dropped
hyper-rustls = { version = "0.24", default-features = false }
hyper = { version = "1", default-features = false }
hyper-http-proxy = "1"
hyper-rustls = { version = "0.27", default-features = false }
hyper-util = { version = "0.1", default-features = false }
hyper-unix-connector = "0.2"
indexmap = "2"
ipnet = "2"
Expand Down Expand Up @@ -194,9 +194,8 @@ syn = { version = "2", default-features = false }
tar = { version = "0.4", default-features = false }
tempfile = "3"
test-case = "3"
tokio = { version = "~1.32", default-features = false } # LTS
tokio = { version = "~1.36", default-features = false } # LTS
tokio-retry = "0.3"
tokio-rustls = "0.24"
tokio-test = "0.4"
tokio-tungstenite = { version = "0.20", default-features = false }
tokio-util = "0.7"
Expand Down
3 changes: 2 additions & 1 deletion sources/api/apiclient/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ futures.workspace = true
futures-channel.workspace = true
http.workspace = true
httparse.workspace = true
hyper = { workspace = true, features = ["client", "http1", "http2", "tcp"] }
# apiclient exec requires an older version of hyper
hyper = { version = "0.14", features = ["client", "http1", "http2", "tcp"] }
hyper-unix-connector.workspace = true
libc.workspace = true
log.workspace = true
Expand Down
24 changes: 7 additions & 17 deletions sources/api/pluto/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,35 +16,25 @@ fips = ["aws-lc-rs/fips", "aws-smithy-experimental/crypto-aws-lc-fips", "rustls/
source-groups = ["aws-smithy-experimental"]

[dependencies]
base64.workspace = true
bottlerocket-modeled-types.workspace = true
bottlerocket-settings-models.workspace = true
bytes.workspace = true
constants.workspace = true
futures-util.workspace = true
headers.workspace = true
http.workspace = true
hyper = { workspace = true, features = ["default"] }
hyper-rustls = { workspace = true, features = ["http2", "logging", "native-tokio", "tls12"] }
imdsclient.workspace = true
aws-config.workspace = true
aws-lc-rs = { workspace = true, features = ["bindgen"] }
aws-sdk-eks.workspace = true
aws-sdk-ec2.workspace = true
aws-types.workspace = true
aws-smithy-experimental = {workspace = true, features = ["crypto-aws-lc"]}
aws-smithy-types.workspace = true
aws-smithy-runtime.workspace = true
aws-smithy-experimental = { workspace = true, features = ["crypto-aws-lc"] }
aws-types.workspace = true
base64.workspace = true
bottlerocket-modeled-types.workspace = true
bottlerocket-settings-models.workspace = true
constants.workspace = true
imdsclient.workspace = true
rustls.workspace = true
serde = { workspace = true, features = ["derive"] }
serde_json.workspace = true
snafu.workspace = true
tempfile.workspace = true
tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
tokio-retry.workspace = true
tokio-rustls.workspace = true
url.workspace = true
log.workspace = true

[build-dependencies]
generate-readme.workspace = true
Expand Down
42 changes: 10 additions & 32 deletions sources/api/pluto/src/ec2.rs
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
use crate::aws::sdk_config;
use crate::proxy;
#[cfg(feature = "fips")]
use aws_smithy_experimental::hyper_1_0::{CryptoMode, HyperClientBuilder as Hyper10ClientBuilder};
#[cfg(not(feature = "fips"))]
use aws_smithy_runtime::client::http::hyper_014::HyperClientBuilder;
use crate::PROVIDER;
use aws_smithy_experimental::hyper_1_0::HyperClientBuilder;
use aws_smithy_types::error::display::DisplayErrorContext;
use snafu::{OptionExt, ResultExt, Snafu};
use std::time::Duration;
Expand Down Expand Up @@ -36,9 +33,6 @@ pub(super) enum Error {

#[snafu(display("Missing field '{}' in EC2 response", field))]
Missing { field: &'static str },

#[snafu(context(false), display("{}", source))]
Proxy { source: proxy::Error },
}

type Result<T> = std::result::Result<T, Error>;
Expand All @@ -55,13 +49,8 @@ where
{
let config = sdk_config(region).await;

#[cfg(not(feature = "fips"))]
let client = build_client(https_proxy, no_proxy, config)?;

// FIXME!: support proxies in FIPS mode
#[cfg(feature = "fips")]
let client = build_client(config)?;

tokio::time::timeout(
FETCH_PRIVATE_DNS_NAME_TIMEOUT,
Retry::spawn(
Expand Down Expand Up @@ -94,7 +83,6 @@ where
.context(FetchPrivateDnsNameTimeoutSnafu)?
}

#[cfg(not(feature = "fips"))]
fn build_client<H, N>(
https_proxy: Option<H>,
no_proxy: Option<&[N]>,
Expand All @@ -104,26 +92,16 @@ where
H: AsRef<str>,
N: AsRef<str>,
{
let client = if let Some(https_proxy) = https_proxy {
let http_connector = proxy::setup_http_client(https_proxy, no_proxy)?;
let http_client = HyperClientBuilder::new().build(http_connector);
let ec2_config = aws_sdk_ec2::config::Builder::from(&config)
.http_client(http_client)
.build();
aws_sdk_ec2::Client::from_conf(ec2_config)
let http_client = if let Some(https_proxy) = https_proxy {
let https_proxy = https_proxy.as_ref().to_string();
HyperClientBuilder::new()
.crypto_mode(PROVIDER)
.build_with_proxy(https_proxy, no_proxy)
} else {
aws_sdk_ec2::Client::new(&config)
HyperClientBuilder::new()
.crypto_mode(PROVIDER)
.build_https()
};

Ok(client)
}

// FIXME!: support proxies in FIPS mode
#[cfg(feature = "fips")]
fn build_client(config: aws_config::SdkConfig) -> Result<aws_sdk_ec2::Client> {
let http_client = Hyper10ClientBuilder::new()
.crypto_mode(CryptoMode::AwsLcFips)
.build_https();
let ec2_config = aws_sdk_ec2::config::Builder::from(&config)
.http_client(http_client)
.build();
Expand Down
Loading

0 comments on commit b609232

Please sign in to comment.