pluto: add proxy support for FIPS

COPYRIGHT

@@ -14,12 +14,6 @@ operating system images.
 
 =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
-Contains modified hyper-proxy files [mod.rs, stream.rs, tunnel.rs] from
-https://github.com/tafia/hyper-proxy 2021-09-20.
-Copyright (c) 2017 Johann Tuffe. Licensed under the MIT License.
-
-=^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
-
-Contains aws-smithy-experimental from
+Contains modified aws-smithy-experimental file(s) [hyper_1_0.rs] from
 https://github.com/smithy-lang/smithy-rs/tree/release-2024-10-09.
 Licensed under the Apache-2.0 License.

sources/Cargo.toml

@@ -143,15 +143,15 @@ glob = "0.3"
 gptman = { version = "1", default-features = false }
 handlebars = "4"
 h2 = "0.4"
-headers = "0.3"
+headers = "0.4"
 hex-literal = "0.4"
 http = "0.2"
 httparse = "1"
 httptest = "0.15"
-hyper = { version = "0.14", default-features = false }
-hyper-util = "0.1"
-# FIXME: bump to 0.27 once hyper-proxy is dropped
-hyper-rustls = { version = "0.24", default-features = false }
+hyper = { version = "1", default-features = false }
+hyper-http-proxy = "1"
+hyper-rustls = { version = "0.27", default-features = false }
+hyper-util = { version = "0.1", default-features = false }
 hyper-unix-connector = "0.2"
 indexmap = "2"
 ipnet = "2"
@@ -194,9 +194,8 @@ syn = { version = "2", default-features = false }
 tar = { version = "0.4", default-features = false }
 tempfile = "3"
 test-case = "3"
-tokio = { version = "~1.32", default-features = false }  # LTS
+tokio = { version = "~1.36", default-features = false }  # LTS
 tokio-retry = "0.3"
-tokio-rustls = "0.24"
 tokio-test = "0.4"
 tokio-tungstenite = { version = "0.20", default-features = false }
 tokio-util = "0.7"

sources/api/apiclient/Cargo.toml

@@ -23,7 +23,8 @@ futures.workspace = true
 futures-channel.workspace = true
 http.workspace = true
 httparse.workspace = true
-hyper = { workspace = true, features = ["client", "http1", "http2", "tcp"] }
+# apiclient exec requires an older version of hyper
+hyper = { version = "0.14", features = ["client", "http1", "http2", "tcp"] }
 hyper-unix-connector.workspace = true
 libc.workspace = true
 log.workspace = true

sources/api/pluto/Cargo.toml

@@ -16,35 +16,25 @@ fips = ["aws-lc-rs/fips", "aws-smithy-experimental/crypto-aws-lc-fips", "rustls/
 source-groups = ["aws-smithy-experimental"]
 
 [dependencies]
-base64.workspace = true
-bottlerocket-modeled-types.workspace = true
-bottlerocket-settings-models.workspace = true
-bytes.workspace = true
-constants.workspace = true
-futures-util.workspace = true
-headers.workspace = true
-http.workspace = true
-hyper = { workspace = true, features = ["default"] }
-hyper-rustls = { workspace = true, features = ["http2", "logging", "native-tokio", "tls12"] }
-imdsclient.workspace = true
 aws-config.workspace = true
 aws-lc-rs = { workspace = true, features = ["bindgen"] }
 aws-sdk-eks.workspace = true
 aws-sdk-ec2.workspace = true
-aws-types.workspace = true
+aws-smithy-experimental = {workspace = true, features = ["crypto-aws-lc"]}
 aws-smithy-types.workspace = true
-aws-smithy-runtime.workspace = true
-aws-smithy-experimental = { workspace = true, features = ["crypto-aws-lc"] }
+aws-types.workspace = true
+base64.workspace = true
+bottlerocket-modeled-types.workspace = true
+bottlerocket-settings-models.workspace = true
+constants.workspace = true
+imdsclient.workspace = true
 rustls.workspace = true
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
 snafu.workspace = true
 tempfile.workspace = true
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 tokio-retry.workspace = true
-tokio-rustls.workspace = true
-url.workspace = true
-log.workspace = true
 
 [build-dependencies]
 generate-readme.workspace = true

sources/api/pluto/src/ec2.rs

@@ -1,9 +1,6 @@
 use crate::aws::sdk_config;
-use crate::proxy;
-#[cfg(feature = "fips")]
-use aws_smithy_experimental::hyper_1_0::{CryptoMode, HyperClientBuilder as Hyper10ClientBuilder};
-#[cfg(not(feature = "fips"))]
-use aws_smithy_runtime::client::http::hyper_014::HyperClientBuilder;
+use crate::PROVIDER;
+use aws_smithy_experimental::hyper_1_0::HyperClientBuilder;
 use aws_smithy_types::error::display::DisplayErrorContext;
 use snafu::{OptionExt, ResultExt, Snafu};
 use std::time::Duration;
@@ -36,9 +33,6 @@ pub(super) enum Error {
 
     #[snafu(display("Missing field '{}' in EC2 response", field))]
     Missing { field: &'static str },
-
-    #[snafu(context(false), display("{}", source))]
-    Proxy { source: proxy::Error },
 }
 
 type Result<T> = std::result::Result<T, Error>;
@@ -55,13 +49,8 @@ where
 {
     let config = sdk_config(region).await;
 
-    #[cfg(not(feature = "fips"))]
     let client = build_client(https_proxy, no_proxy, config)?;
 
-    // FIXME!: support proxies in FIPS mode
-    #[cfg(feature = "fips")]
-    let client = build_client(config)?;
-
     tokio::time::timeout(
         FETCH_PRIVATE_DNS_NAME_TIMEOUT,
         Retry::spawn(
@@ -94,7 +83,6 @@ where
     .context(FetchPrivateDnsNameTimeoutSnafu)?
 }
 
-#[cfg(not(feature = "fips"))]
 fn build_client<H, N>(
     https_proxy: Option<H>,
     no_proxy: Option<&[N]>,
@@ -104,26 +92,16 @@ where
     H: AsRef<str>,
     N: AsRef<str>,
 {
-    let client = if let Some(https_proxy) = https_proxy {
-        let http_connector = proxy::setup_http_client(https_proxy, no_proxy)?;
-        let http_client = HyperClientBuilder::new().build(http_connector);
-        let ec2_config = aws_sdk_ec2::config::Builder::from(&config)
-            .http_client(http_client)
-            .build();
-        aws_sdk_ec2::Client::from_conf(ec2_config)
+    let http_client = if let Some(https_proxy) = https_proxy {
+        let https_proxy = https_proxy.as_ref().to_string();
+        HyperClientBuilder::new()
+            .crypto_mode(PROVIDER)
+            .build_with_proxy(https_proxy, no_proxy)
     } else {
-        aws_sdk_ec2::Client::new(&config)
+        HyperClientBuilder::new()
+            .crypto_mode(PROVIDER)
+            .build_https()
     };
-
-    Ok(client)
-}
-
-// FIXME!: support proxies in FIPS mode
-#[cfg(feature = "fips")]
-fn build_client(config: aws_config::SdkConfig) -> Result<aws_sdk_ec2::Client> {
-    let http_client = Hyper10ClientBuilder::new()
-        .crypto_mode(CryptoMode::AwsLcFips)
-        .build_https();
     let ec2_config = aws_sdk_ec2::config::Builder::from(&config)
         .http_client(http_client)
         .build();