Added support for enabling FIPS endpoints. (#2826)

This option can be used to make calls be invoked against FIPS-compliant AWS endpoints. This can also be enabled via the AWS_USE_FIPS_ENDPOINT environment variable, aws.useFipsEndpoint system property, or the use_fips_endpoint profile file property:

Author: millems

.changes/next-release/deprecation-AmazonS3Control-df756f2.json

@@ -0,0 +1,6 @@
+{
+    "category": "Amazon S3 Control", 
+    "contributor": "", 
+    "type": "deprecation", 
+    "description": "Deprecated `S3ControlConfiguration.Builder`'s `fipsModeEnabled` in favor of the new service-standard `S3ControlClientBuilder.fipsEnabled`."
+}

.changes/next-release/feature-AWSSDKforJavav2-635c382.json

@@ -0,0 +1,6 @@
+{
+    "category": "AWS SDK for Java v2", 
+    "contributor": "", 
+    "type": "feature", 
+    "description": "Added a new `fipsEnabled` property to every client builder, which can be used to make calls be invoked against AWS endpoints which are FIPS compliant. This can also be enabled via the `AWS_USE_FIPS_ENDPOINT` environment variable, `aws.useFipsEndpoint` system property, or the `use_fips_endpoint` profile file property."
+}

codegen-lite/src/main/java/software/amazon/awssdk/codegen/lite/regions/RegionValidationUtil.java

@@ -25,6 +25,7 @@
 import java.util.Set;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.codegen.lite.regions.model.Endpoint;
+import software.amazon.awssdk.utils.StringUtils;
 import software.amazon.awssdk.utils.Validate;
 
 @SdkInternalApi
@@ -43,7 +44,7 @@ public final class RegionValidationUtil {
             try (BufferedReader br = new BufferedReader(new InputStreamReader(allowListStream, StandardCharsets.UTF_8))) {
                 String line;
                 while ((line = br.readLine()) != null) {
-                    DEPRECATED_REGIONS_ALLOWSLIST.add(line);
+                    DEPRECATED_REGIONS_ALLOWSLIST.add(StringUtils.trim(line));
                 }
             }
         } catch (IOException e) {

codegen/src/main/java/software/amazon/awssdk/codegen/model/config/customization/CustomizationConfig.java

@@ -37,16 +37,9 @@ public class CustomizationConfig {
     private final List<ConvenienceTypeOverload> convenienceTypeOverloads = new ArrayList<>();
 
     /**
-     * Specifies the name of the client configuration class to use if a service
-     * has a specific advanced client configuration class. Null if the service
-     * does not have advanced configuration.
+     * Configuration object for service-specific configuration options.
      */
-    private String serviceSpecificClientConfigClass;
-
-    /**
-     * Whether a service has a dualstack configuration in its {@link #serviceSpecificClientConfigClass}.
-     */
-    private boolean serviceConfigHasDualstackConfig = false;
+    private ServiceConfig serviceConfig = new ServiceConfig();
 
     /**
      * Specify shapes to be renamed.
@@ -244,22 +237,6 @@ public void setShapeModifiers(Map<String, ShapeModifier> shapeModifiers) {
         this.shapeModifiers = shapeModifiers;
     }
 
-    public String getServiceSpecificClientConfigClass() {
-        return serviceSpecificClientConfigClass;
-    }
-
-    public void setServiceSpecificClientConfigClass(String serviceSpecificClientConfig) {
-        this.serviceSpecificClientConfigClass = serviceSpecificClientConfig;
-    }
-
-    public boolean getServiceConfigHasDualstackConfig() {
-        return serviceConfigHasDualstackConfig;
-    }
-
-    public void setServiceConfigHasDualstackConfig(boolean serviceConfigHasDualstackConfig) {
-        this.serviceConfigHasDualstackConfig = serviceConfigHasDualstackConfig;
-    }
-
     public List<ConvenienceTypeOverload> getConvenienceTypeOverloads() {
         return this.convenienceTypeOverloads;
     }
@@ -517,4 +494,12 @@ public RetryMode getDefaultRetryMode() {
     public void setDefaultRetryMode(RetryMode defaultRetryMode) {
         this.defaultRetryMode = defaultRetryMode;
     }
+
+    public ServiceConfig getServiceConfig() {
+        return serviceConfig;
+    }
+
+    public void setServiceConfig(ServiceConfig serviceConfig) {
+        this.serviceConfig = serviceConfig;
+    }
 }

codegen/src/main/java/software/amazon/awssdk/codegen/model/config/customization/ServiceConfig.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.codegen.model.config.customization;
+
+public class ServiceConfig {
+    /**
+     * Specifies the name of the client configuration class to use if a service
+     * has a specific advanced client configuration class. Null if the service
+     * does not have advanced configuration.
+     */
+    private String className;
+
+    /**
+     * Whether the service config has a property used to manage dualstack (should be deprecated in favor of
+     * AwsClientBuilder#dualstackEnabled).
+     */
+    private boolean hasDualstackProperty = false;
+
+    /**
+     * Whether the service config has a property used to manage FIPS (should be deprecated in favor of
+     * AwsClientBuilder#fipsEnabled).
+     */
+    private boolean hasFipsProperty = false;
+
+    public String getClassName() {
+        return className;
+    }
+
+    public void setClassName(String className) {
+        this.className = className;
+    }
+
+    public boolean hasDualstackProperty() {
+        return hasDualstackProperty;
+    }
+
+    public void setHasDualstackProperty(boolean hasDualstackProperty) {
+        this.hasDualstackProperty = hasDualstackProperty;
+    }
+
+    public boolean hasFipsProperty() {
+        return hasFipsProperty;
+    }
+
+    public void setHasFipsProperty(boolean hasFipsProperty) {
+        this.hasFipsProperty = hasFipsProperty;
+    }
+}

codegen/src/main/java/software/amazon/awssdk/codegen/poet/builder/BaseClientBuilderClass.java

@@ -102,7 +102,7 @@ public TypeSpec poetSpec() {
         builder.addMethod(defaultSignerMethod());
         builder.addMethod(signingNameMethod());
 
-        if (model.getCustomizationConfig().getServiceSpecificClientConfigClass() != null) {
+        if (model.getCustomizationConfig().getServiceConfig().getClassName() != null) {
             builder.addMethod(setServiceConfigurationMethod())
                    .addMethod(beanStyleSetServiceConfigurationMethod());
         }
@@ -167,7 +167,7 @@ private MethodSpec mergeServiceDefaultsMethod() {
                                                         + ".CRC32_FROM_COMPRESSED_DATA_ENABLED, $L)",
                                                         SdkClientOption.class, crc32FromCompressedDataEnabled);
 
-        String clientConfigClassName = model.getCustomizationConfig().getServiceSpecificClientConfigClass();
+        String clientConfigClassName = model.getCustomizationConfig().getServiceConfig().getClassName();
         if (StringUtils.isNotBlank(clientConfigClassName)) {
             builder.addCode(".option($T.SERVICE_CONFIGURATION, $T.builder().build())",
                             SdkClientOption.class, ClassName.bestGuess(clientConfigClassName));
@@ -239,15 +239,15 @@ private MethodSpec finalizeServiceConfigurationMethod() {
                    .endControlFlow();
         }
 
-        String clientConfigClassName = model.getCustomizationConfig().getServiceSpecificClientConfigClass();
+        String clientConfigClassName = model.getCustomizationConfig().getServiceConfig().getClassName();
         if (StringUtils.isNotBlank(clientConfigClassName)) {
             ClassName clientConfigClass = ClassName.bestGuess(clientConfigClassName);
             builder.addCode("$1T.Builder c = (($1T) config.option($2T.SERVICE_CONFIGURATION)).toBuilder();" +
                             "c.profileFile(c.profileFile() != null ? c.profileFile() : config.option($2T.PROFILE_FILE));" +
                             "c.profileName(c.profileName() != null ? c.profileName() : config.option($2T.PROFILE_NAME));",
                             clientConfigClass, SdkClientOption.class);
 
-            if (model.getCustomizationConfig().getServiceConfigHasDualstackConfig()) {
+            if (model.getCustomizationConfig().getServiceConfig().hasDualstackProperty()) {
                 builder.addCode("if (c.dualstackEnabled() != null) {")
                        .addCode("    $T.validState(config.option($T.DUALSTACK_ENDPOINT_ENABLED) == null, \"Dualstack has been "
                                 + "configured on both $L and the client/global level. Please limit dualstack configuration to "
@@ -257,12 +257,31 @@ private MethodSpec finalizeServiceConfigurationMethod() {
                        .addCode("    c.dualstackEnabled(config.option($T.DUALSTACK_ENDPOINT_ENABLED));", AwsClientOption.class)
                        .addCode("}");
             }
+
+            if (model.getCustomizationConfig().getServiceConfig().hasFipsProperty()) {
+                builder.addCode("if (c.fipsModeEnabled() != null) {")
+                       .addCode("    $T.validState(config.option($T.FIPS_ENDPOINT_ENABLED) == null, \"Fips has been "
+                                + "configured on both $L and the client/global level. Please limit fips configuration to "
+                                + "one location.\");",
+                                Validate.class, AwsClientOption.class, clientConfigClassName)
+                       .addCode("} else {")
+                       .addCode("    c.fipsModeEnabled(config.option($T.FIPS_ENDPOINT_ENABLED));", AwsClientOption.class)
+                       .addCode("}");
+            }
         }
 
         // Update configuration
 
         builder.addCode("return config.toBuilder()\n");
 
+        if (model.getCustomizationConfig().getServiceConfig().hasDualstackProperty()) {
+            builder.addCode(".option($T.DUALSTACK_ENDPOINT_ENABLED, c.dualstackEnabled())", AwsClientOption.class);
+        }
+
+        if (model.getCustomizationConfig().getServiceConfig().hasFipsProperty()) {
+            builder.addCode(".option($T.FIPS_ENDPOINT_ENABLED, c.fipsModeEnabled())", AwsClientOption.class);
+        }
+
         if (model.getEndpointOperation().isPresent()) {
             builder.addCode(".option($T.ENDPOINT_DISCOVERY_ENABLED, endpointDiscoveryEnabled)\n",
                             SdkClientOption.class);
@@ -287,7 +306,7 @@ private MethodSpec finalizeServiceConfigurationMethod() {
 
     private MethodSpec setServiceConfigurationMethod() {
         ClassName serviceConfiguration = ClassName.get(basePackage,
-                                                        model.getCustomizationConfig().getServiceSpecificClientConfigClass());
+                                                        model.getCustomizationConfig().getServiceConfig().getClassName());
         return MethodSpec.methodBuilder("serviceConfiguration")
                          .addModifiers(Modifier.PUBLIC)
                          .returns(TypeVariableName.get("B"))
@@ -300,7 +319,7 @@ private MethodSpec setServiceConfigurationMethod() {
 
     private MethodSpec beanStyleSetServiceConfigurationMethod() {
         ClassName serviceConfiguration = ClassName.get(basePackage,
-                                                        model.getCustomizationConfig().getServiceSpecificClientConfigClass());
+                                                        model.getCustomizationConfig().getServiceConfig().getClassName());
         return MethodSpec.methodBuilder("setServiceConfiguration")
                          .addModifiers(Modifier.PUBLIC)
                          .addParameter(serviceConfiguration, "serviceConfiguration")

codegen/src/main/java/software/amazon/awssdk/codegen/poet/builder/BaseClientBuilderInterface.java

@@ -57,7 +57,7 @@ public TypeSpec poetSpec() {
             builder.addMethod(endpointDiscovery());
         }
 
-        if (model.getCustomizationConfig().getServiceSpecificClientConfigClass() != null) {
+        if (model.getCustomizationConfig().getServiceConfig().getClassName() != null) {
             builder.addMethod(serviceConfigurationMethod());
             builder.addMethod(serviceConfigurationConsumerBuilderMethod());
         }
@@ -91,7 +91,7 @@ private MethodSpec endpointDiscovery() {
 
     private MethodSpec serviceConfigurationMethod() {
         ClassName serviceConfiguration = ClassName.get(basePackage,
-                                                        model.getCustomizationConfig().getServiceSpecificClientConfigClass());
+                                                        model.getCustomizationConfig().getServiceConfig().getClassName());
         return MethodSpec.methodBuilder("serviceConfiguration")
                          .addModifiers(Modifier.ABSTRACT, Modifier.PUBLIC)
                          .returns(TypeVariableName.get("B"))
@@ -101,7 +101,7 @@ private MethodSpec serviceConfigurationMethod() {
 
     private MethodSpec serviceConfigurationConsumerBuilderMethod() {
         ClassName serviceConfiguration = ClassName.get(basePackage,
-                                                        model.getCustomizationConfig().getServiceSpecificClientConfigClass());
+                                                        model.getCustomizationConfig().getServiceConfig().getClassName());
         TypeName consumerBuilder = ParameterizedTypeName.get(ClassName.get(Consumer.class),
                                                              serviceConfiguration.nestedClass("Builder"));
         return MethodSpec.methodBuilder("serviceConfiguration")

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/builder/test-client-builder-class.java

@@ -58,7 +58,16 @@ protected final SdkClientConfiguration finalizeServiceConfiguration(SdkClientCon
         } else {
             c.dualstackEnabled(config.option(AwsClientOption.DUALSTACK_ENDPOINT_ENABLED));
         }
-        return config.toBuilder().option(SdkClientOption.EXECUTION_INTERCEPTORS, interceptors)
+        if (c.fipsModeEnabled() != null) {
+            Validate.validState(
+                config.option(AwsClientOption.FIPS_ENDPOINT_ENABLED) == null,
+                "Fips has been configured on both ServiceConfiguration and the client/global level. Please limit fips configuration to one location.");
+        } else {
+            c.fipsModeEnabled(config.option(AwsClientOption.FIPS_ENDPOINT_ENABLED));
+        }
+        return config.toBuilder().option(AwsClientOption.DUALSTACK_ENDPOINT_ENABLED, c.dualstackEnabled())
+                     .option(AwsClientOption.FIPS_ENDPOINT_ENABLED, c.fipsModeEnabled())
+                     .option(SdkClientOption.EXECUTION_INTERCEPTORS, interceptors)
                      .option(SdkClientOption.RETRY_POLICY, MyServiceRetryPolicy.resolveRetryPolicy(config))
                      .option(SdkClientOption.SERVICE_CONFIGURATION, c.build()).build();
     }

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/client/c2j/json/customization.config

@@ -4,8 +4,11 @@
     },
     "presignersFqcn": "software.amazon.awssdk.services.acm.presign.AcmClientPresigners",
     "serviceSpecificHttpConfig": "software.amazon.MyServiceHttpConfig",
-    "serviceSpecificClientConfigClass": "ServiceConfiguration",
-    "serviceConfigHasDualstackConfig": true,
+    "serviceConfig": {
+      "className": "ServiceConfiguration",
+      "hasDualstackProperty": true,
+      "hasFipsProperty": true
+    },
     "customRetryPolicy": "software.amazon.MyServiceRetryPolicy",
     "verifiedSimpleMethods" : ["paginatedOperationWithResultKey"],
     "blacklistedSimpleMethods" : [

codegen/src/test/resources/software/amazon/awssdk/codegen/poet/client/c2j/rest-json/customization.config

@@ -4,8 +4,11 @@
     },
     "presignersFqcn": "software.amazon.awssdk.services.acm.presign.AcmClientPresigners",
     "serviceSpecificHttpConfig": "software.amazon.MyServiceHttpConfig",
-    "serviceSpecificClientConfigClass": "ServiceConfiguration",
-    "serviceConfigHasDualstackConfig": true,
+    "serviceConfig": {
+      "className": "ServiceConfiguration",
+      "hasDualstackProperty": true,
+      "hasFipsProperty": true
+    },
     "customRetryPolicy": "software.amazon.MyServiceRetryPolicy",
     "verifiedSimpleMethods" : ["paginatedOperationWithResultKey"],
     "blacklistedSimpleMethods" : [

core/auth/src/main/java/software/amazon/awssdk/auth/credentials/AwsCredentialsProviderChain.java

@@ -57,9 +57,9 @@ public final class AwsCredentialsProviderChain implements AwsCredentialsProvider
      * @see #builder()
      */
     private AwsCredentialsProviderChain(BuilderImpl builder) {
+        Validate.notEmpty(builder.credentialsProviders, "No credential providers were specified.");
         this.reuseLastProviderEnabled = builder.reuseLastProviderEnabled;
-        this.credentialsProviders = Collections.unmodifiableList(
-                Validate.notEmpty(builder.credentialsProviders, "No credential providers were specified."));
+        this.credentialsProviders = Collections.unmodifiableList(builder.credentialsProviders);
     }
 
     /**

core/aws-core/src/main/java/software/amazon/awssdk/awscore/AwsExecutionAttribute.java

@@ -39,9 +39,18 @@ public final class AwsExecutionAttribute extends SdkExecutionAttribute {
      */
     public static final ExecutionAttribute<String> ENDPOINT_PREFIX = new ExecutionAttribute<>("AwsEndpointPrefix");
 
+    /**
+     * Whether dualstack endpoints were enabled for this request.
+     */
     public static final ExecutionAttribute<Boolean> DUALSTACK_ENDPOINT_ENABLED =
         new ExecutionAttribute<>("DualstackEndpointsEnabled");
 
+    /**
+     * Whether fips endpoints were enabled for this request.
+     */
+    public static final ExecutionAttribute<Boolean> FIPS_ENDPOINT_ENABLED =
+        new ExecutionAttribute<>("DualstackEndpointsEnabled");
+
     private AwsExecutionAttribute() {
     }
 }

core/aws-core/src/main/java/software/amazon/awssdk/awscore/client/builder/AwsClientBuilder.java

@@ -81,4 +81,20 @@ public interface AwsClientBuilder<BuilderT extends AwsClientBuilder<BuilderT, Cl
      * <p>If the setting is not found in any of the locations above, 'false' will be used.
      */
     BuilderT dualstackEnabled(Boolean dualstackEndpointEnabled);
+
+    /**
+     * Configure whether the SDK should use the AWS fips endpoints.
+     *
+     * <p>If this is not specified, the SDK will attempt to determine whether the fips endpoint should be used
+     * automatically using the following logic:
+     * <ol>
+     *     <li>Check the 'aws.useFipsEndpoint' system property for 'true' or 'false'.</li>
+     *     <li>Check the 'AWS_USE_FIPS_ENDPOINT' environment variable for 'true' or 'false'.</li>
+     *     <li>Check the {user.home}/.aws/credentials and {user.home}/.aws/config files for the 'use_fips_endpoint'
+     *     property set to 'true' or 'false'.</li>
+     * </ol>
+     *
+     * <p>If the setting is not found in any of the locations above, 'false' will be used.
+     */
+    BuilderT fipsEnabled(Boolean fipsEndpointEnabled);
 }