fix: support FIPS in endpoint heuristics #3923

trivikr · 2021-10-20T20:19:48Z

Issue

Internal JS-2892

Description

Adds support for FIPS in endpoint heuristics

Code used to populated test cases

// The models directory contains *.min.json files
// from https://github.com/aws/aws-sdk-js/tree/master/apis
// The endpoints.json contains RIP endpoints
// The metadata.json contains file from
// https://github.com/aws/aws-sdk-js/blob/master/apis/metadata.json

import { readFile, readdir, writeFile } from "fs/promises";

const getClientName = (api, metadata) => {
  if (api.metadata.endpointPrefix === "api.tunneling.iot") {
    return "IoTSecureTunneling";
  }
  const getPrefix = (str) => str.substring(0, str.length - 11);
  const isPrefixInMetadata = ([key, value]) =>
    api.metadata.uid &&
    (getPrefix(api.metadata.uid) === key ||
      getPrefix(api.metadata.uid) === value.prefix);
  if (Object.entries(metadata).some(isPrefixInMetadata)) {
    return Object.entries(metadata).find(isPrefixInMetadata)[1].name;
  }
  let name =
    api.metadata.serviceId ||
    api.metadata.serviceAbbreviation ||
    api.metadata.serviceFullName;
  if (!name) return null;

  name = name.replace(/^Amazon|AWS\s*|\(.*|\s+|\W+/g, "");
  return name;
};

const endpointPrefixSdkIdHash = {};
const models = await readdir("models");
const metadata = JSON.parse((await readFile("metadata.json")).toString());
for (const modelFileName of models) {
  const model = JSON.parse(
    (await readFile(`models/${modelFileName}`)).toString()
  );
  const clientName = getClientName(model, metadata);
  const { endpointPrefix } = model.metadata;
  endpointPrefixSdkIdHash[
    endpointPrefix === "api.tunneling.iot"
      ? "iotsecuredtunneling"
      : endpointPrefix
  ] = clientName;
}

const isFipsRegion = (region) =>
  region.startsWith("fips-") || region.endsWith("-fips");

const testCases = [];
const endpoints = JSON.parse((await readFile("endpoints.json")).toString());
for (const partition of endpoints.partitions) {
  for (const [endpointPrefix, serviceConfig] of Object.entries(
    partition.services
  )) {
    for (const [region, regionConfig] of Object.entries(
      serviceConfig.endpoints
    )) {
      if (isFipsRegion(region)) {
        const { hostname } = regionConfig;
        const regionRegex = partition.regionRegex
          .replace("\\\\", "\\")
          .replace(/^\^/g, "")
          .replace(/\$$/g, "");
        const signingRegion =
          regionConfig.credentialScope?.region ||
          hostname.match(regionRegex)[0];
        testCases.push({
          endpointPrefix,
          clientName: endpointPrefixSdkIdHash[endpointPrefix],
          region,
          signingRegion,
          hostname,
        });
      }
    }
  }
}
await writeFile("testCases.json", JSON.stringify(testCases, null, 2));

Testing

Added mocha tests under test/endpoint

Code used for testing externally

import AWS from "aws-sdk";
import { deepEqual } from "assert";
import { readFile } from "fs/promises";

const getFunctionName = (client) => {
  const funcPrefixes = ["list", "describe", "query", "get", "invoke", "send"];
  const properties = Object.getOwnPropertyNames(Object.getPrototypeOf(client));
  for (const funcPrefix of funcPrefixes) {
    const startsWith = (property) => property.startsWith(funcPrefix);
    if (properties.some(startsWith)) {
      return properties.find(startsWith);
    }
  }
};

const testApiCall = async ({ clientName, region, signingRegion, hostname }) => {
  if (clientName === "IotData") {
    // requires an explicit `endpoint' configuration option.
    return;
  }
  if (!AWS[clientName]) {
    console.log(`${clientName} does not exist`);
    return;
  }

  const client = new AWS[clientName]({ region });

  const functionName = getFunctionName(client);
  if (!functionName) {
    console.log(
      `Function starting with list/describe does not exist for ${clientName}`
    );
    return;
  }
  const req = client[getFunctionName(client)]();
  req.on("complete", () => {
    deepEqual(
      { region, signingRegion, hostname },
      {
        region: client.config.region,
        signingRegion: req.httpRequest.region,
        hostname: req.httpRequest.endpoint.host,
      }
    );
  });

  try {
    await req.promise();
  } catch (error) {}
};

const testCases = JSON.parse((await readFile("testCases.json")).toString());
for (const testCase of testCases) {
  await testApiCall(testCase);
}

Checklist

npm run test passes
changelog is added, npm run add-change
run npm run integration if integration test is changed

lib/region_config.js

test/endpoint/fips/fips.spec.js

lib/region_config_data.json

AllanZhengYP · 2021-10-21T20:27:03Z

Awesome work, thank you!

trivikr added 17 commits October 20, 2021 17:45

fix: set real region as signingRegion for FIPS

6be92c2

chore: use real region when preping endpoint

7869a4b

chore: create fips pattern

01ee1a9

chore: return specific regionPrefix for fips

0e22b5e

fix: add fips exception for api.ecr

c021b61

chore: return fips-* for fips regions

09b1455

chore: add fips exception for streams.dynamodb

02e21af

fix: add check for optional dkr|prod in fip

777ccbe

chore: support most customizations in fips

06502d5

chore: npm run add-change

3a6dc9d

fix: check for region defined in isFips* functions

5fdf3bd

fix: add exceptions for region checks

eb2dfb8

test: copy external tests to test/endpoint/fips

18914bc

test: return a mock response for endpoint tests

eac3fe1

test: call test/endpoint from npm run test

579fc62

chore: add unsupported test cases for record

f3da8cc

chore: change var to const

2d9e247

trivikr marked this pull request as ready for review October 21, 2021 16:18

trivikr requested a review from AllanZhengYP October 21, 2021 16:18

test: pass a fake endpoint for IotData instead of skipping

1df7412

trivikr commented Oct 21, 2021

View reviewed changes

lib/region_config.js Outdated Show resolved Hide resolved

fix: remove redundant dkr/prod check

dbdf9bc

trivikr commented Oct 21, 2021

View reviewed changes

test/endpoint/fips/fips.spec.js Show resolved Hide resolved

chore: remove newline

0929158

AllanZhengYP reviewed Oct 21, 2021

View reviewed changes

lib/region_config_data.json Show resolved Hide resolved

trivikr added 4 commits October 21, 2021 18:50

chore: remove redundant util getFunctionName from test

426486d

test: getRealRegion

e35ebbe

test: set service.signingRegion if FIPS

d7d028a

test:a dd fips-cn-* test cases

ffc77bc

AllanZhengYP approved these changes Oct 21, 2021

View reviewed changes

trivikr merged commit 5f06f52 into aws:master Oct 21, 2021

trivikr deleted the fix-pseudo-region branch October 21, 2021 21:09

This was referenced Oct 22, 2021

fix: update fips endpoint heuristics test to use callback #3928

Merged

chore: add patterns for fips endpoint heuristics #3929

Merged

trivikr mentioned this pull request Nov 10, 2021

Move FIPS rules to a separate section in region_config #3948

Merged

3 tasks

trivikr mentioned this pull request Dec 6, 2023

Add endpoint customizations for services which do not use FIPS suffix #4544

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: support FIPS in endpoint heuristics #3923

fix: support FIPS in endpoint heuristics #3923

trivikr commented Oct 20, 2021 •

edited

AllanZhengYP commented Oct 21, 2021

fix: support FIPS in endpoint heuristics #3923

fix: support FIPS in endpoint heuristics #3923

Conversation

trivikr commented Oct 20, 2021 • edited

Issue

Description

Testing

Checklist

AllanZhengYP commented Oct 21, 2021

trivikr commented Oct 20, 2021 •

edited