feat(client-s3-control): support FIPS in S3 Outposts Control Plane (#2985)

Author: trivikr

packages/middleware-sdk-s3-control/src/process-arnables-plugin/getOutpostEndpoint.spec.ts

@@ -0,0 +1,31 @@
+import { getOutpostEndpoint } from "./getOutpostEndpoint";
+
+describe(getOutpostEndpoint.name, () => {
+  const mockRegion = "region";
+  const mockDnsSuffix = "mockDnsSuffix";
+  const mockHostname = `s3-control.${mockRegion}.${mockDnsSuffix}`;
+  const mockInput = { isCustomEndpoint: false, useFipsEndpoint: false };
+
+  it("returns hostname if custom endpoint is set", () => {
+    expect(getOutpostEndpoint(mockHostname, { ...mockInput, isCustomEndpoint: true })).toStrictEqual(mockHostname);
+  });
+
+  describe("returns outpost endpoint", () => {
+    it("uses region from hostname if regionOverride if provided", () => {
+      expect(getOutpostEndpoint(mockHostname, mockInput)).toStrictEqual(`s3-outposts.${mockRegion}.${mockDnsSuffix}`);
+    });
+
+    it("uses region from regionOverride if provided", () => {
+      const mockRegionOverride = "mockRegionOverride";
+      expect(getOutpostEndpoint(mockHostname, { ...mockInput, regionOverride: mockRegionOverride })).toStrictEqual(
+        `s3-outposts.${mockRegionOverride}.${mockDnsSuffix}`
+      );
+    });
+
+    it(`adds suffix "-fips" if useFipsEndpoint is set`, () => {
+      expect(getOutpostEndpoint(mockHostname, { ...mockInput, useFipsEndpoint: true })).toStrictEqual(
+        `s3-outposts-fips.${mockRegion}.${mockDnsSuffix}`
+      );
+    });
+  });
+});

packages/middleware-sdk-s3-control/src/process-arnables-plugin/getOutpostEndpoint.ts

@@ -0,0 +1,24 @@
+const REGEX_S3CONTROL_HOSTNAME = /^(.+\.)?s3-control[.-]([a-z0-9-]+)\./;
+
+export interface GetOutpostEndpointOptions {
+  isCustomEndpoint?: boolean;
+  regionOverride?: string;
+  useFipsEndpoint: boolean;
+}
+
+export const getOutpostEndpoint = (
+  hostname: string,
+  { isCustomEndpoint, regionOverride, useFipsEndpoint }: GetOutpostEndpointOptions
+): string => {
+  const [matched, prefix, region] = hostname.match(REGEX_S3CONTROL_HOSTNAME)!;
+  // hostname prefix will be ignored even if presents
+  return isCustomEndpoint
+    ? hostname
+    : [
+        `s3-outposts${useFipsEndpoint ? "-fips" : ""}`,
+        regionOverride || region,
+        hostname.replace(new RegExp(`^${matched}`), ""),
+      ]
+        .filter((part) => part !== undefined)
+        .join(".");
+};

packages/middleware-sdk-s3-control/src/process-arnables-plugin/index.ts

@@ -1,7 +1,4 @@
 export { getProcessArnablesPlugin } from "./plugin";
 export { parseOutpostArnablesMiddleaware, parseOutpostArnablesMiddleawareOptions } from "./parse-outpost-arnables";
-export {
-  updateArnablesRequestMiddleware,
-  updateArnablesRequestMiddlewareOptions,
-  getOutpostEndpoint,
-} from "./update-arnables-request";
+export { updateArnablesRequestMiddleware, updateArnablesRequestMiddlewareOptions } from "./update-arnables-request";
+export { getOutpostEndpoint } from "./getOutpostEndpoint";

packages/middleware-sdk-s3-control/src/process-arnables-plugin/parse-outpost-arnables.ts

@@ -3,7 +3,6 @@ import {
   getPseudoRegion,
   validateAccountId,
   validateNoDualstack,
-  validateNoFIPS,
   validateOutpostService,
   validatePartition,
   validateRegion,
@@ -114,7 +113,6 @@ const validateOutpostsArn = (
     clientSigningRegion: signingRegion,
   });
   validateNoDualstack(useDualstackEndpoint);
-  if (!useArnRegion) validateNoFIPS(clientRegion);
 };
 
 const parseOutpostsAccessPointArnResource = (

packages/middleware-sdk-s3-control/src/process-arnables-plugin/plugin.spec.ts

@@ -169,27 +169,6 @@ describe("getProcessArnablesMiddleware", () => {
       expect(context).toMatchObject({ signing_service: "s3-outposts", signing_region: "us-gov-east-1" });
     });
 
-    it("should validate when client region is fips region", async () => {
-      expect.assertions(1);
-      const clientRegion = "fips-us-gov-east-1";
-      const hostname = `s3-control.${clientRegion}.amazonaws.com`;
-      const options = setupPluginOptions({
-        region: clientRegion,
-        regionInfoProvider: () => Promise.resolve({ hostname, partition: "aws-us-gov" }),
-      });
-      const stack = getStack(hostname, options);
-      const handler = stack.resolve((() => {}) as any, {});
-      try {
-        await handler({
-          input: {
-            Name: "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
-          },
-        });
-      } catch (e) {
-        expect(e.message).toContain("FIPS region is not supported");
-      }
-    });
-
     it("should validate when arn region is fips region", async () => {
       expect.assertions(1);
       const clientRegion = "fips-us-gov-east-1";
@@ -411,28 +390,6 @@ describe("getProcessArnablesMiddleware", () => {
       expect(context).toMatchObject({ signing_service: "s3-outposts", signing_region: "us-gov-east-1" });
     });
 
-    it("should validate when client region is fips region", async () => {
-      expect.assertions(1);
-      const clientRegion = "fips-us-gov-east-1";
-      const hostname = `s3-control.${clientRegion}.amazonaws.com`;
-      const options = setupPluginOptions({
-        region: clientRegion,
-        regionInfoProvider: () => Promise.resolve({ hostname, partition: "aws-us-gov" }),
-      });
-      const stack = getStack(hostname, options);
-      const handler = stack.resolve((() => {}) as any, {});
-      try {
-        await handler({
-          input: {
-            Bucket:
-              "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket",
-          },
-        });
-      } catch (e) {
-        expect(e.message).toContain("FIPS region is not supported");
-      }
-    });
-
     it("should validate when arn region is fips region", async () => {
       expect.assertions(1);
       const clientRegion = "fips-us-gov-east-1";

packages/middleware-sdk-s3-control/src/process-arnables-plugin/update-arnables-request.ts

@@ -1,47 +1,41 @@
 import { HttpRequest } from "@aws-sdk/protocol-http";
-import { BuildHandlerOptions, BuildMiddleware } from "@aws-sdk/types";
+import { BuildHandlerOptions, BuildMiddleware, Provider } from "@aws-sdk/types";
 
-import { S3ControlResolvedConfig } from "../configurations";
 import { CONTEXT_ACCOUNT_ID, CONTEXT_ARN_REGION, CONTEXT_OUTPOST_ID } from "../constants";
+import { getOutpostEndpoint } from "./getOutpostEndpoint";
 
 const ACCOUNT_ID_HEADER = "x-amz-account-id";
 const OUTPOST_ID_HEADER = "x-amz-outpost-id";
-const REGEX_S3CONTROL_HOSTNAME = /^(.+\.)?s3-control[.-]([a-z0-9-]+)\./;
+
+export interface UpdateArnablesRequestMiddlewareConfig {
+  isCustomEndpoint: boolean;
+  useFipsEndpoint: Provider<boolean>;
+}
 
 /**
  * After outpost request is constructed, redirect request to outpost endpoint and set `x-amz-account-id` and
  * `x-amz-outpost-id` headers.
  */
 export const updateArnablesRequestMiddleware =
-  ({ isCustomEndpoint }: { isCustomEndpoint: boolean }): BuildMiddleware<any, any> =>
+  (config: UpdateArnablesRequestMiddlewareConfig): BuildMiddleware<any, any> =>
   (next, context) =>
-  (args) => {
+  async (args) => {
     const { request } = args;
     if (!HttpRequest.isInstance(request)) return next(args);
     if (context[CONTEXT_ACCOUNT_ID]) request.headers[ACCOUNT_ID_HEADER] = context[CONTEXT_ACCOUNT_ID];
     if (context[CONTEXT_OUTPOST_ID]) {
+      const { isCustomEndpoint } = config;
+      const useFipsEndpoint = await config.useFipsEndpoint();
       request.headers[OUTPOST_ID_HEADER] = context[CONTEXT_OUTPOST_ID];
       request.hostname = getOutpostEndpoint(request.hostname, {
         isCustomEndpoint,
         regionOverride: context[CONTEXT_ARN_REGION],
+        useFipsEndpoint,
       });
     }
     return next(args);
   };
 
-export const getOutpostEndpoint = (
-  hostname: string,
-  { isCustomEndpoint, regionOverride }: { isCustomEndpoint?: boolean; regionOverride?: string } = {}
-): string => {
-  const [matched, prefix, region] = hostname.match(REGEX_S3CONTROL_HOSTNAME)!;
-  // hostname prefix will be ignored even if presents
-  return isCustomEndpoint
-    ? hostname
-    : ["s3-outposts", regionOverride || region, hostname.replace(new RegExp(`^${matched}`), "")]
-        .filter((part) => part !== undefined)
-        .join(".");
-};
-
 export const updateArnablesRequestMiddlewareOptions: BuildHandlerOptions = {
   step: "build",
   name: "updateArnablesRequestMiddleware",

packages/middleware-sdk-s3-control/src/redirect-from-postid.spec.ts

@@ -6,7 +6,13 @@ describe("redirectFromPostIdMiddleware", () => {
   it("should redirect request if Bucket is a valid ARN", async () => {
     const next: any = (args: any) => ({ output: args.request });
     const context: any = {};
-    const { output } = await redirectFromPostIdMiddleware({ isCustomEndpoint: false })(next, context)({
+    const { output } = await redirectFromPostIdMiddleware({
+      isCustomEndpoint: false,
+      useFipsEndpoint: () => Promise.resolve(false),
+    })(
+      next,
+      context
+    )({
       input: { OutpostId: "op-123" },
       request: new HttpRequest({ hostname: "123456789012.s3-control.us-west-2.amazonaws.com" }),
     });

packages/middleware-sdk-s3-control/src/redirect-from-postid.ts

@@ -1,5 +1,5 @@
 import { HttpRequest } from "@aws-sdk/protocol-http";
-import { BuildHandlerOptions, BuildMiddleware, Pluggable } from "@aws-sdk/types";
+import { BuildHandlerOptions, BuildMiddleware, Pluggable, Provider } from "@aws-sdk/types";
 
 import { S3ControlResolvedConfig } from "./configurations";
 import { CONTEXT_SIGNING_SERVICE } from "./constants";
@@ -9,18 +9,25 @@ type InputType = {
   OutpostId?: string;
 };
 
+export interface RedirectFromPostIdMiddlewareConfig {
+  isCustomEndpoint: boolean;
+  useFipsEndpoint: Provider<boolean>;
+}
+
 /**
  * If OutpostId is set, redirect hostname to Outpost one, and change signing service to `s3-outposts`.
  * Applied to S3Control.CreateBucket and S3Control.ListRegionalBuckets
  */
 export const redirectFromPostIdMiddleware =
-  ({ isCustomEndpoint }: { isCustomEndpoint: boolean }): BuildMiddleware<InputType, any> =>
+  (config: RedirectFromPostIdMiddlewareConfig): BuildMiddleware<InputType, any> =>
   (next, context) =>
-  (args) => {
+  async (args) => {
     const { input, request } = args;
     if (!HttpRequest.isInstance(request)) return next(args);
     if (input.OutpostId) {
-      request.hostname = getOutpostEndpoint(request.hostname, { isCustomEndpoint });
+      const { isCustomEndpoint } = config;
+      const useFipsEndpoint = await config.useFipsEndpoint();
+      request.hostname = getOutpostEndpoint(request.hostname, { isCustomEndpoint, useFipsEndpoint });
       context[CONTEXT_SIGNING_SERVICE] = "s3-outposts";
     }
     return next(args);