pluto: add proxy support for FIPS

Replaces `hyper-proxy` with `hyper-http-proxy`. Adds support for hyper client creation using a custom HTTP connector in `aws-smithy-experimental`. Signed-off-by: Patrick J.P. Culp <jpculp@amazon.com>
bottlerocket-os · Oct 23, 2024 · 8e0a323 · 8e0a323
1 parent d27c57b
commit 8e0a323
Show file tree

Hide file tree

Showing 16 changed files with 124 additions and 756 deletions.
diff --git a/COPYRIGHT b/COPYRIGHT
@@ -14,12 +14,6 @@ operating system images.
 
 =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
-Contains modified hyper-proxy files [mod.rs, stream.rs, tunnel.rs] from
-https://github.com/tafia/hyper-proxy 2021-09-20.
-Copyright (c) 2017 Johann Tuffe. Licensed under the MIT License.
-
-=^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
-
 Contains aws-smithy-experimental from
 https://github.com/smithy-lang/smithy-rs/tree/release-2024-10-09.
 Licensed under the Apache-2.0 License.
diff --git a/sources/Cargo.lock b/sources/Cargo.lock
diff --git a/sources/Cargo.toml b/sources/Cargo.toml
@@ -143,15 +143,15 @@ glob = "0.3"
 gptman = { version = "1", default-features = false }
 handlebars = "4"
 h2 = "0.4"
-headers = "0.3"
+headers = "0.4"
 hex-literal = "0.4"
 http = "0.2"
 httparse = "1"
 httptest = "0.15"
-hyper = { version = "0.14", default-features = false }
-hyper-util = "0.1"
-# FIXME: bump to 0.27 once hyper-proxy is dropped
-hyper-rustls = { version = "0.24", default-features = false }
+hyper = { version = "1", default-features = false }
+hyper-http-proxy = "1"
+hyper-rustls = { version = "0.27", default-features = false }
+hyper-util = { version = "0.1", default-features = false }
 hyper-unix-connector = "0.2"
 indexmap = "2"
 ipnet = "2"
@@ -194,9 +194,8 @@ syn = { version = "2", default-features = false }
 tar = { version = "0.4", default-features = false }
 tempfile = "3"
 test-case = "3"
-tokio = { version = "~1.32", default-features = false }  # LTS
+tokio = { version = "~1.36", default-features = false }  # LTS
 tokio-retry = "0.3"
-tokio-rustls = "0.24"
 tokio-test = "0.4"
 tokio-tungstenite = { version = "0.20", default-features = false }
 tokio-util = "0.7"

diff --git a/sources/api/apiclient/Cargo.toml b/sources/api/apiclient/Cargo.toml
@@ -23,7 +23,7 @@ futures.workspace = true
 futures-channel.workspace = true
 http.workspace = true
 httparse.workspace = true
-hyper = { workspace = true, features = ["client", "http1", "http2", "tcp"] }
+hyper = { version = "0.14", features = ["client", "http1", "http2", "tcp"] }
 hyper-unix-connector.workspace = true
 libc.workspace = true
 log.workspace = true

diff --git a/sources/api/pluto/Cargo.toml b/sources/api/pluto/Cargo.toml
@@ -16,33 +16,29 @@ fips = ["aws-lc-rs/fips", "aws-smithy-experimental/crypto-aws-lc-fips", "rustls/
 source-groups = ["aws-smithy-experimental"]
 
 [dependencies]
-bottlerocket-modeled-types.workspace = true
-bottlerocket-settings-models.workspace = true
-bytes.workspace = true
-constants.workspace = true
-futures-util.workspace = true
-headers.workspace = true
-http.workspace = true
-hyper = { workspace = true, features = ["default"] }
-hyper-rustls = { workspace = true, features = ["http2", "logging", "native-tokio", "tls12"] }
-imdsclient = { workspace = true }
 aws-config.workspace = true
 aws-lc-rs = { workspace = true, features = ["bindgen"] }
 aws-sdk-eks.workspace = true
 aws-sdk-ec2.workspace = true
-aws-types.workspace = true
+aws-smithy-experimental = {workspace = true, features = ["crypto-aws-lc"]}
 aws-smithy-types.workspace = true
-aws-smithy-runtime.workspace = true
-aws-smithy-experimental = { workspace = true, features = ["crypto-aws-lc"] }
+aws-types.workspace = true
+bottlerocket-modeled-types.workspace = true
+bottlerocket-settings-models.workspace = true
+constants.workspace = true
+headers.workspace = true
+hyper = { workspace = true, features = ["default"] }
+hyper-http-proxy.workspace = true
+hyper-util = { workspace = true, features = ["client", "client-legacy", "tokio"] }
+hyper-rustls = { workspace = true, features = ["http1","http2", "logging", "native-tokio", "tls12"] }
+imdsclient.workspace = true
 rustls.workspace = true
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
 snafu.workspace = true
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 tokio-retry.workspace = true
-tokio-rustls.workspace = true
 url.workspace = true
-log.workspace = true
 
 [build-dependencies]
 generate-readme.workspace = true

diff --git a/sources/api/pluto/src/ec2.rs b/sources/api/pluto/src/ec2.rs
@@ -1,9 +1,6 @@
 use crate::aws::sdk_config;
-use crate::proxy;
-#[cfg(feature = "fips")]
-use aws_smithy_experimental::hyper_1_0::{CryptoMode, HyperClientBuilder as Hyper10ClientBuilder};
-#[cfg(not(feature = "fips"))]
-use aws_smithy_runtime::client::http::hyper_014::HyperClientBuilder;
+use crate::{proxy, PROVIDER};
+use aws_smithy_experimental::hyper_1_0::HyperClientBuilder;
 use aws_smithy_types::error::display::DisplayErrorContext;
 use snafu::{OptionExt, ResultExt, Snafu};
 use std::time::Duration;
@@ -55,13 +52,8 @@ where
 {
     let config = sdk_config(region).await;
 
-    #[cfg(not(feature = "fips"))]
     let client = build_client(https_proxy, no_proxy, config)?;
 
-    // FIXME!: support proxies in FIPS mode
-    #[cfg(feature = "fips")]
-    let client = build_client(config)?;
-
     tokio::time::timeout(
         FETCH_PRIVATE_DNS_NAME_TIMEOUT,
         Retry::spawn(
@@ -94,7 +86,6 @@ where
     .context(FetchPrivateDnsNameTimeoutSnafu)?
 }
 
-#[cfg(not(feature = "fips"))]
 fn build_client<H, N>(
     https_proxy: Option<H>,
     no_proxy: Option<&[N]>,
@@ -104,26 +95,16 @@ where
     H: AsRef<str>,
     N: AsRef<str>,
 {
-    let client = if let Some(https_proxy) = https_proxy {
+    let http_client = if let Some(https_proxy) = https_proxy {
         let http_connector = proxy::setup_http_client(https_proxy, no_proxy)?;
-        let http_client = HyperClientBuilder::new().build(http_connector);
-        let ec2_config = aws_sdk_ec2::config::Builder::from(&config)
-            .http_client(http_client)
-            .build();
-        aws_sdk_ec2::Client::from_conf(ec2_config)
+        HyperClientBuilder::new()
+            .crypto_mode(PROVIDER)
+            .build_with_connector(http_connector)
     } else {
-        aws_sdk_ec2::Client::new(&config)
+        HyperClientBuilder::new()
+            .crypto_mode(PROVIDER)
+            .build_https()
     };
-
-    Ok(client)
-}
-
-// FIXME!: support proxies in FIPS mode
-#[cfg(feature = "fips")]
-fn build_client(config: aws_config::SdkConfig) -> Result<aws_sdk_ec2::Client> {
-    let http_client = Hyper10ClientBuilder::new()
-        .crypto_mode(CryptoMode::AwsLcFips)
-        .build_https();
     let ec2_config = aws_sdk_ec2::config::Builder::from(&config)
         .http_client(http_client)
         .build();

diff --git a/sources/api/pluto/src/eks.rs b/sources/api/pluto/src/eks.rs
@@ -1,10 +1,7 @@
 use crate::aws::sdk_config;
-use crate::proxy;
+use crate::{proxy, PROVIDER};
 use aws_sdk_eks::types::KubernetesNetworkConfigResponse;
-#[cfg(feature = "fips")]
-use aws_smithy_experimental::hyper_1_0::{CryptoMode, HyperClientBuilder as Hyper10ClientBuilder};
-#[cfg(not(feature = "fips"))]
-use aws_smithy_runtime::client::http::hyper_014::HyperClientBuilder;
+use aws_smithy_experimental::hyper_1_0::HyperClientBuilder;
 use snafu::{OptionExt, ResultExt, Snafu};
 use std::time::Duration;
 
@@ -48,13 +45,8 @@ where
 {
     let config = sdk_config(region).await;
 
-    #[cfg(not(feature = "fips"))]
     let client = build_client(https_proxy, no_proxy, config)?;
 
-    // FIXME!: support proxies in FIPS mode
-    #[cfg(feature = "fips")]
-    let client = build_client(config)?;
-
     tokio::time::timeout(
         EKS_DESCRIBE_CLUSTER_TIMEOUT,
         client.describe_cluster().name(cluster.to_owned()).send(),
@@ -70,7 +62,6 @@ where
     })
 }
 
-#[cfg(not(feature = "fips"))]
 fn build_client<H, N>(
     https_proxy: Option<H>,
     no_proxy: Option<&[N]>,
@@ -80,26 +71,16 @@ where
     H: AsRef<str>,
     N: AsRef<str>,
 {
-    let client = if let Some(https_proxy) = https_proxy {
+    let http_client = if let Some(https_proxy) = https_proxy {
         let http_connector = proxy::setup_http_client(https_proxy, no_proxy)?;
-        let http_client = HyperClientBuilder::new().build(http_connector);
-        let eks_config = aws_sdk_eks::config::Builder::from(&config)
-            .http_client(http_client)
-            .build();
-        aws_sdk_eks::Client::from_conf(eks_config)
+        HyperClientBuilder::new()
+            .crypto_mode(PROVIDER)
+            .build_with_connector(http_connector)
     } else {
-        aws_sdk_eks::Client::new(&config)
+        HyperClientBuilder::new()
+            .crypto_mode(PROVIDER)
+            .build_https()
     };
-
-    Ok(client)
-}
-
-// FIXME!: support proxies in FIPS mode
-#[cfg(feature = "fips")]
-fn build_client(config: aws_config::SdkConfig) -> Result<aws_sdk_eks::Client> {
-    let http_client = Hyper10ClientBuilder::new()
-        .crypto_mode(CryptoMode::AwsLcFips)
-        .build_https();
     let eks_config = aws_sdk_eks::config::Builder::from(&config)
         .http_client(http_client)
         .build();