Unverified Commit 09ba40e6 authored by Russell Cohen's avatar Russell Cohen Committed by GitHub
Browse files

Add FIPS support to Hyper 1.0 Client (#3539) 

## Description
This does several things:
1. Upgrade to RusTLS 0.23 which enables FIPS support
2. Add smoke test of the clients. This revealed a bug where https URLs
were not supported.

This is technically a breaking change because I added `non_exhaustive`
to the CryptoMode enum.

<!--- Describe your changes in detail -->

## Testing
New integration tests. I expect this to fail in CI since I'll need to
update the build image to match.

## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [x] I have updated `CHANGELOG.next.toml` if I made changes to the
smithy-rs codegen or runtime crates
- [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS
SDK, generated SDK code, or SDK runtime crates

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
parent d37ac94a

.cargo-deny-config.toml

+1 −0
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ confidence-threshold = 1.0 
exceptions = [

    { allow = ["OpenSSL"], name = "ring", version = "*" },

    { allow = ["OpenSSL"], name = "aws-lc-sys", version = "*" },

    { allow = ["OpenSSL"], name = "aws-lc-fips-sys", version = "*" },

]



[[licenses.clarify]]

.github/workflows/ci.yml

+5 −5
Original line number Diff line number Diff line
@@ -232,24 +232,24 @@ jobs: 
        - target: i686-unknown-linux-gnu

          build_smithy_rs_features: --all-features

          build_aws_exclude: ''

          build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript

          build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental

          test_smithy_rs_features: --all-features

          test_aws_exclude: ''

          test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript

          test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental

        - target: powerpc-unknown-linux-gnu

          build_smithy_rs_features: ''

          build_aws_exclude: --exclude aws-inlineable

          build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript

          build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental

          test_smithy_rs_features: ''

          test_aws_exclude: --exclude aws-inlineable

          test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript

        - target: powerpc64-unknown-linux-gnu

          build_smithy_rs_features: ''

          build_aws_exclude: --exclude aws-inlineable

          build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript

          build_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental

          test_smithy_rs_features: ''

          test_aws_exclude: --exclude aws-inlineable

          test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript

          test_smithy_rs_exclude: --exclude aws-smithy-http-server-python --exclude aws-smithy-http-server-typescript --exclude aws-smithy-experimental

    env:

      CROSS_CONFIG: Cross.toml

    steps:

CHANGELOG.next.toml

+22 −0
Original line number Diff line number Diff line
@@ -70,3 +70,25 @@ message = "Users may now set service-specific configuration in the environment. 
references = ["smithy-rs#3493"]

meta = { "breaking" = false, "tada" = true, "bug" = false }

author = "Velfi"



[[smithy-rs]]

message = "Fix bug in Hyper 1.0 support where https URLs returned an error"

references = ["smithy-rs#3539"]

meta = { "breaking" = false, "tada" = false, "bug" = false }

author = "rcoh"



[[smithy-rs]]

message = """Add FIPS support to our Hyper 1.0-based client. Customers can enable this mode by enabling the `crypto-aws-lc-fips` on `aws-smithy-experimental`. To construct a client using the new client, consult this [example](https://github.com/awslabs/aws-sdk-rust/blob/release-2024-03-29/sdk/s3/tests/hyper-10.rs).



Please note that support for Hyper 1.0 remains experimental."""

references = ["smithy-rs#3539"]

meta = { "breaking" = false, "tada" = true, "bug" = false }

author = "rcoh"



[[aws-sdk-rust]]

message = """Add FIPS support to our Hyper 1.0-based client. Customers can enable this mode by enabling the `crypto-aws-lc-fips` on `aws-smithy-experimental`. To construct a client using the new client, consult this [example](https://github.com/awslabs/aws-sdk-rust/blob/release-2024-03-29/sdk/s3/tests/hyper-10.rs).



Please note that support for Hyper 1.0 remains experimental."""

references = ["smithy-rs#3539"]

meta = { "breaking" = false, "tada" = true, "bug" = false }

author = "rcoh"

rust-runtime/aws-smithy-experimental/Cargo.toml

+6 −6
Original line number Diff line number Diff line 
[package]

name = "aws-smithy-experimental"

version = "0.1.0"

version = "0.1.1"

authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>"]

description = "Experiments for the smithy-rs ecosystem"

edition = "2021"
@@ -9,7 +9,8 @@ repository = "https://github.com/smithy-lang/smithy-rs" 


[features]

crypto-ring = ["rustls/ring"]

crypto-aws-lc = ["rustls/aws_lc_rs", "dep:fs_extra"]

crypto-aws-lc = ["rustls/aws_lc_rs"]

crypto-aws-lc-fips = ["rustls/fips"]



[dependencies]

aws-smithy-types = { path = "../aws-smithy-types", features = ["http-body-1-x"] }
@@ -20,13 +21,12 @@ pin-project-lite = "0.2.13" 
hyper-util = "0.1.3"

http = "1"

tokio = "1"

hyper-rustls = { version = "0.26", features = ["http2", "http1"] }

rustls = { version = "0.22.2", default-features = false }

hyper-rustls = { version = "0.27", features = ["http2", "http1", "native-tokio", "tls12"], default-features = false }

rustls = { version = "0.23", default-features = false }

h2 = "0.4"

once_cell = "1.18.0"

tracing = "0.1.40"

tower = "0.4.1"

fs_extra = { version = "1.3.0", optional = true } # hack for cargo-minimal-versions



[dev-dependencies]

aws-smithy-async = { path = "../aws-smithy-async", features = ["rt-tokio", "test-util"] }
@@ -40,7 +40,7 @@ doc-scrape-examples = true 


[[example]]

name = "client-aws-lc"

required-features = ["crypto-aws-lc"]

required-features = ["crypto-aws-lc", "crypto-aws-lc-fips"]

doc-scrape-examples = true



[[example]]

rust-runtime/aws-smithy-experimental/README.md

+6 −4
Original line number Diff line number Diff line
@@ -3,11 +3,13 @@ 
Staging ground for experimental new features in the smithy-rs ecosystem.



### Hyper 1.0 Support

This crate adds support for Hyper 1.0 (see [examples](./examples)). There a few blockers before stablization:

1. Moving to `rustls` 0.23 to take advantage of FIPS support. This is blocked on `hyper-rustls` being upgraded.

2. Expose an API for providing a custom connector. Currently that API is not exposed because a shim layer is needed to avoid taking a hard dependency on hyper-util.

3. Add support for poisoning connections in the connection pool. This API needs to be either backported into hyper-util or we need to establish our own client.

This crate allows customers to use Hyper 1.0. A valuable consequence of this is access to aws-lc-rs and its `FIPS` compliant crypto. This is available behind the `crypto-aws-lc-fips` feature. **Note**: FIPS support has somewhat [complex build requirements](https://github.com/aws/aws-lc/blob/main/BUILDING.md), namely CMake and Go.



## Crate Stabilization



This crate adds support for Hyper 1.0 (see [examples](./examples)). There a few blockers before stablization:

1. Expose an API for providing a custom connector. Currently, that API is not exposed because a shim layer is needed to avoid taking a hard dependency on hyper-util.

2. Add support for poisoning connections in the connection pool. This API needs to be either backported into hyper-util or we need to establish our own client.



<!-- anchor_start:footer -->

This crate is part of the [AWS SDK for Rust](https://awslabs.github.io/aws-sdk-rust/) and the [smithy-rs](https://github.com/smithy-lang/smithy-rs) code generator.