Skip to content

Commit

Permalink
Add some more updates based on feedback
Browse files Browse the repository at this point in the history 
Specifically:
* Have use_arn_region checks use True as the default
* Add changelog entries
  • Loading branch information
@kyleknap
kyleknap committed May 13, 2021
1 parent 0813832 commit 2dc1c2f
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 11 deletions.
5 changes: 5 additions & 0 deletions .changes/next-release/enhancement-FIPS-99887.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"type": "enhancement",
"category": "FIPS",
"description": "Add validation to only attempt to connect to FIPS endpoints with a FIPS pseudo-region if the pseudo-region is explicitly known to the SDK."
}
5 changes: 5 additions & 0 deletions .changes/next-release/enhancement-s3-29784.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"type": "enhancement",
"category": "``s3``",
"description": "Block endpoint resolution of clients configured with S3 pseudo-regions (e.g. ``aws-global``, ``s3-external-1``) that will never resolve to a correct access point endpoint."
}
4 changes: 2 additions & 2 deletions botocore/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1585,7 +1585,7 @@ def _validate_fips_supported(self, request):
client_region = self._region.replace('fips-', '').replace('-fips', '')
accesspoint_region = request.context['s3_accesspoint']['region']
if accesspoint_region != client_region:
if self._s3_config.get('use_arn_region'):
if self._s3_config.get('use_arn_region', True):
raise UnsupportedS3AccesspointConfigurationError(
msg=(
'Client is configured to use the FIPS psuedo-region '
Expand All @@ -1608,7 +1608,7 @@ def _validate_fips_supported(self, request):
)

def _validate_global_regions(self, request):
if self._s3_config.get('use_arn_region'):
if self._s3_config.get('use_arn_region', True):
return
if self._region in ['aws-global', 's3-external-1']:
raise UnsupportedS3AccesspointConfigurationError(
Expand Down
4 changes: 2 additions & 2 deletions tests/functional/test_endpoints.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ def _assert_service_name_matches_endpoint_prefix(session, service_name):
actual_service_name, computed_name))


_S3_WHITELISTED_PSEUDO_FIPS_REGIONS = [
_S3_ALLOWED_PSEUDO_FIPS_REGIONS = [
'fips-accesspoint-ca-central-1',
'fips-accesspoint-us-east-1',
'fips-accesspoint-us-east-2',
Expand All @@ -192,7 +192,7 @@ def _assert_service_name_matches_endpoint_prefix(session, service_name):


def _assert_is_not_psuedo_fips_region(region_name):
if region_name in _S3_WHITELISTED_PSEUDO_FIPS_REGIONS:
if region_name in _S3_ALLOWED_PSEUDO_FIPS_REGIONS:
return

msg = (
Expand Down
35 changes: 28 additions & 7 deletions tests/functional/test_s3.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -858,7 +858,9 @@ def test_s3_object_lambda_fips_raise_for_cross_region(self):
'accesspoint/mybanner'
)
self.client, _ = self.create_stubbed_s3_client(
region_name='fips-us-gov-west-1')
region_name='fips-us-gov-west-1',
config=Config(s3={'use_arn_region': False})
)
expected_exception = UnsupportedS3AccesspointConfigurationError
with self.assertRaisesRegexp(expected_exception,
'ARNs in another region are not allowed'):
Expand All @@ -878,12 +880,12 @@ def test_s3_object_lambda_with_global_regions(self):
'arn:aws:s3-object-lambda:us-east-1:123456789012:'
'accesspoint/mybanner'
)
self.client, _ = self.create_stubbed_s3_client(
region_name='s3-external-1')
expected_exception = UnsupportedS3AccesspointConfigurationError
expected_msg = 'a regional endpoint must be specified'
for region in ('aws-global', 's3-external-1'):
self.client, _ = self.create_stubbed_s3_client(region_name=region)
self.client, _ = self.create_stubbed_s3_client(
region_name=region, config=Config(s3={'use_arn_region': False})
)
with self.assertRaisesRegexp(expected_exception, expected_msg):
self.client.list_objects(Bucket=s3_object_lambda_arn)

Expand Down Expand Up @@ -943,7 +945,9 @@ def test_accesspoint_fips_raise_for_cross_region(self):
'accesspoint:myendpoint'
)
self.client, _ = self.create_stubbed_s3_client(
region_name='fips-us-gov-west-1')
region_name='fips-us-gov-west-1',
config=Config(s3={'use_arn_region': False})
)
expected_exception = UnsupportedS3AccesspointConfigurationError
with self.assertRaisesRegexp(expected_exception,
'ARNs in another region are not allowed'):
Expand All @@ -963,13 +967,15 @@ def test_accesspoint_with_global_regions(self):
'arn:aws:s3:us-east-1:123456789012:accesspoint:myendpoint'
)
self.client, _ = self.create_stubbed_s3_client(
region_name='aws-global')
region_name='aws-global',
config=Config(s3={'use_arn_region': False})
)
expected_exception = UnsupportedS3AccesspointConfigurationError
with self.assertRaisesRegexp(expected_exception,
'regional endpoint must be specified'):
self.client.list_objects(Bucket=s3_accesspoint_arn)

# in shouldn't raise if use_arn_region is True
# It shouldn't raise if use_arn_region is True
self.client, self.http_stubber = self.create_stubbed_s3_client(
region_name='s3-external-1',
config=Config(s3={'use_arn_region': True})
Expand All @@ -984,6 +990,21 @@ def test_accesspoint_with_global_regions(self):
)
self.assert_endpoint(request, expected_endpoint)

# It shouldn't raise if no use_arn_region is specified since
# use_arn_region defaults to True
self.client, self.http_stubber = self.create_stubbed_s3_client(
region_name='s3-external-1',
)

self.http_stubber.add_response()
self.client.list_objects(Bucket=s3_accesspoint_arn)
request = self.http_stubber.requests[0]
expected_endpoint = (
'myendpoint-123456789012.s3-accesspoint.'
'us-east-1.amazonaws.com'
)
self.assert_endpoint(request, expected_endpoint)


class TestOnlyAsciiCharsAllowed(BaseS3OperationTest):
def test_validates_non_ascii_chars_trigger_validation_error(self):
Expand Down

0 comments on commit 2dc1c2f

Please sign in to comment.