Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support FIPS for S3 Outposts #3963

Merged
merged 3 commits into from Nov 16, 2021
Merged

Support FIPS for S3 Outposts #3963

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c1f205f
feat(S3Control): support FIPS for S3 Outposts
trivikr Nov 16, 2021
e5fcb6a
npm run add-change
trivikr Nov 16, 2021
c077a01
chore: fix formatting
trivikr Nov 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changes/next-release/feature-S3Control-8b5d37ea.json
View file
Open in desktop
@@ -0,0 +1,5 @@
{
"type": "feature",
"category": "S3Control",
"description": "Support FIPS for S3 Outposts"
}
15 changes: 12 additions & 3 deletions lib/services/s3control.js
View file
Open in desktop
Expand Up @@ -27,7 +27,7 @@ AWS.util.update(AWS.S3Control.prototype, {
}

if (isArnInBucket || isArnInName) {
request.addListener('validate', s3util.validateArnRegion);
request.addListener('validate', this.validateArnRegion);
request.addListener('validate', this.validateArnAccountWithParams, true);
request.addListener('validate', s3util.validateArnAccount);
request.addListener('validate', s3util.validateArnService);
Expand Down Expand Up @@ -98,9 +98,10 @@ AWS.util.update(AWS.S3Control.prototype, {

var endpoint = req.httpRequest.endpoint;
var useArnRegion = req.service.config.s3UseArnRegion;
var useFipsEndpoint = req.service.config.useFipsEndpoint;

endpoint.hostname = [
's3-outposts',
's3-outposts' + (useFipsEndpoint ? '-fips': ''),
useArnRegion ? parsedArn.region : req.service.config.region,
'amazonaws.com'
].join('.');
Expand All @@ -112,8 +113,9 @@ AWS.util.update(AWS.S3Control.prototype, {
*/
populateEndpointForOutpostId: function populateEndpointForOutpostId(req) {
var endpoint = req.httpRequest.endpoint;
var useFipsEndpoint = req.service.config.useFipsEndpoint;
endpoint.hostname = [
's3-outposts',
's3-outposts' + (useFipsEndpoint ? '-fips': ''),
req.service.config.region,
'amazonaws.com'
].join('.');
Expand All @@ -131,6 +133,13 @@ AWS.util.update(AWS.S3Control.prototype, {
}
},

/**
* @api private
*/
validateArnRegion: function validateArnRegion(req) {
s3util.validateArnRegion(req, { allowFipsEndpoint: true });
},

/**
* @api private
*/
Expand Down
42 changes: 26 additions & 16 deletions test/services/s3control.spec.js
View file
Open in desktop
Expand Up @@ -205,7 +205,7 @@ describe('AWS.S3Control', function() {
});
});

it('should correctly generate access point endpoint for pseudo regions', function() {
it('should correctly generate access point endpoint for s3-external-1', function() {
var client = new AWS.S3Control({region: 'us-east-1'});
helpers.mockHttpResponse(200, {}, '');
var request = client.getBucket({
Expand All @@ -215,22 +215,32 @@ describe('AWS.S3Control', function() {
expect(
built.httpRequest.endpoint.hostname
).to.equal('s3-outposts.s3-external-1.amazonaws.com');
});

var testFipsError = (client) => {
helpers.mockHttpResponse(200, {}, '');
request = client.getBucket({
Bucket: 'arn:aws:s3-outposts:s3-external-1:123456789012:outpost/op-01234567890123456/bucket/mybucket'
});
var error;
request.build(function(err) {
error = err;
});
expect(error.name).to.equal('InvalidConfiguration');
expect(error.message).to.equal('ARN endpoint is not compatible with FIPS region');
};
testFipsError(new AWS.S3Control({region: 'fips-us-east-1'}));
testFipsError(new AWS.S3Control({region: 'us-east-1-fips'}));
testFipsError(new AWS.S3Control({region: 'us-east-1', useFipsEndpoint: true}));
it('should correctly generate access point endpoint when useFipsEndpoint=true', function() {
var client = new AWS.S3Control({region: 'us-gov-west-1', useFipsEndpoint: true});
helpers.mockHttpResponse(200, {}, '');
var request = client.getBucket({
Bucket: 'arn:aws:s3-outposts:us-gov-west-1:123456789012:outpost/op-01234567890123456/bucket/mybucket'
});
var built = request.build(function() {});
expect(
built.httpRequest.endpoint.hostname
).to.equal('s3-outposts-fips.us-gov-west-1.amazonaws.com');
});

it('should throw when fips region is passed in ARN', function() {
var client = new AWS.S3Control({region: 'us-gov-west-1', useFipsEndpoint: true});
helpers.mockHttpResponse(200, {}, '');
var request = client.getBucket({
Bucket: 'arn:aws:s3-outposts:fips-us-gov-west-1:123456789012:outpost/op-01234567890123456/bucket/mybucket'
});
var error;
request.build(function(err) {
error = err;
});
expect(error.name).to.equal('InvalidConfiguration');
expect(error.message).to.equal('FIPS region not allowed in ARN');
});

it('should use regions from ARN if s3UseArnRegion config is set to false', function(done) {
Expand Down