Skip to content

Commit

Permalink
Support FIPS for S3 Accesspoint & Object Lambda (#3964)
Browse files Browse the repository at this point in the history
  • Loading branch information
trivikr authored Nov 17, 2021
1 parent a4291e2 commit 1e6b66f
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 35 deletions.
5 changes: 5 additions & 0 deletions .changes/next-release/bugfix-S3-b27b69fd.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"type": "bugfix",
"category": "S3",
"description": "Support FIPS for S3 Accesspoint & Object Lambda"
}
16 changes: 13 additions & 3 deletions lib/services/s3.js
Original file line number Diff line number Diff line change
Expand Up @@ -150,11 +150,12 @@ AWS.util.update(AWS.S3.prototype, {
if (request._parsedArn.service === 's3') {
request.addListener('validate', s3util.validateS3AccessPointArn);
request.addListener('validate', this.validateArnResourceType);
request.addListener('validate', this.validateArnRegion);
} else if (request._parsedArn.service === 's3-outposts') {
request.addListener('validate', s3util.validateOutpostsAccessPointArn);
request.addListener('validate', s3util.validateOutpostsArn);
request.addListener('validate', s3util.validateArnRegion);
}
request.addListener('validate', s3util.validateArnRegion);
request.addListener('validate', s3util.validateArnAccount);
request.addListener('validate', s3util.validateArnService);
request.addListener('build', this.populateUriFromAccessPointArn);
Expand Down Expand Up @@ -196,6 +197,13 @@ AWS.util.update(AWS.S3.prototype, {
}
},

/**
* @api private
*/
validateArnRegion: function validateArnRegion(req) {
s3util.validateArnRegion(req, { allowFipsEndpoint: true });
},

/**
* Validate resource-type supplied in S3 ARN
*/
Expand Down Expand Up @@ -351,6 +359,7 @@ AWS.util.update(AWS.S3.prototype, {

var outpostsSuffix = isOutpostArn ? '.' + accessPointArn.outpostId: '';
var serviceName = isOutpostArn ? 's3-outposts': 's3-accesspoint';
var fipsSuffix = !isOutpostArn && req.service.config.useFipsEndpoint ? '-fips': '';
var dualStackSuffix = !isOutpostArn && req.service.config.useDualstack ? '.dualstack' : '';

var endpoint = req.httpRequest.endpoint;
Expand All @@ -359,7 +368,7 @@ AWS.util.update(AWS.S3.prototype, {

endpoint.hostname = [
accessPointArn.accessPoint + '-' + accessPointArn.accountId + outpostsSuffix,
serviceName + dualStackSuffix,
serviceName + fipsSuffix + dualStackSuffix,
useArnRegion ? accessPointArn.region : req.service.config.region,
dnsSuffix
].join('.');
Expand All @@ -368,9 +377,10 @@ AWS.util.update(AWS.S3.prototype, {
// should be in the format: "accesspoint/${accesspointName}"
var serviceName = 's3-object-lambda';
var accesspointName = accessPointArn.resource.split('/')[1];
var fipsSuffix = req.service.config.useFipsEndpoint ? '-fips': '';
endpoint.hostname = [
accesspointName + '-' + accessPointArn.accountId,
serviceName,
serviceName + fipsSuffix,
useArnRegion ? accessPointArn.region : req.service.config.region,
dnsSuffix
].join('.');
Expand Down
22 changes: 11 additions & 11 deletions scripts/region-checker/allowlist.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,17 +37,17 @@ var allowlist = {
'/services/s3.js': [
87,
88,
252,
254,
267,
273,
629,
631,
750,
761,
762,
763,
768
260,
262,
275,
281,
639,
641,
760,
771,
772,
773,
778
]
};

Expand Down
50 changes: 29 additions & 21 deletions test/services/s3.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -3461,34 +3461,42 @@ describe('AWS.S3', function() {
});
});

it('should correctly generate access point endpoint for pseudo regions', function() {
s3 = new AWS.S3({region: 'us-east-1'});
it('should correctly generate access point endpoint for s3-external-1', function() {
var client = new AWS.S3({region: 'us-east-1'});
helpers.mockHttpResponse(200, {}, '');
var request = s3.getObject({
Bucket: 'arn:aws:s3:s3-external-1:123456789012:accesspoint/myendpoint',
Key: 'key'
var request = client.listObjects({
Bucket: 'arn:aws:s3:s3-external-1:123456789012:accesspoint/myendpoint'
});
var built = request.build(function() {});
expect(
built.httpRequest.endpoint.hostname
).to.equal('myendpoint-123456789012.s3-accesspoint.s3-external-1.amazonaws.com');
});

var testFipsError = (s3) => {
helpers.mockHttpResponse(200, {}, '');
request = s3.getObject({
Bucket: 'arn:aws:s3:us-east-1:123456789012:accesspoint/myendpoint',
Key: 'key'
});
var error;
request.build(function(err) {
error = err;
});
expect(error.name).to.equal('InvalidConfiguration');
expect(error.message).to.equal('ARN endpoint is not compatible with FIPS region');
};
testFipsError(new AWS.S3({region: 'fips-us-east-1'}));
testFipsError(new AWS.S3({region: 'us-east-1-fips'}));
testFipsError(new AWS.S3({region: 'us-east-1', useFipsEndpoint: true}));
it('should correctly generate access point endpoint when useFipsEndpoint=true', function() {
var client = new AWS.S3({region: 'us-west-2', useFipsEndpoint: true});
helpers.mockHttpResponse(200, {}, '');
var request = client.listObjects({
Bucket: 'arn:aws:s3:us-west-2:123456789012:accesspoint/myendpoint'
});
var built = request.build(function() {});
expect(
built.httpRequest.endpoint.hostname
).to.equal('myendpoint-123456789012.s3-accesspoint-fips.us-west-2.amazonaws.com');
});

it('should throw when fips region is passed in ARN', function() {
var client = new AWS.S3({region: 'us-west-2', useFipsEndpoint: true});
helpers.mockHttpResponse(200, {}, '');
var request = client.listObjects({
Bucket: 'arn:aws:s3:fips-us-west-2:123456789012:accesspoint/myendpoint'
});
var error;
request.build(function(err) {
error = err;
});
expect(error.name).to.equal('InvalidConfiguration');
expect(error.message).to.equal('FIPS region not allowed in ARN');
});

it('should use regions from ARN if s3UseArnRegion config is set to false', function(done) {
Expand Down

0 comments on commit 1e6b66f

Please sign in to comment.