Skip to content

[v17] feat: Allow non-FIPS endpoints on FIPS binaries #52069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
codingllama merged 5 commits into from
Feb 12, 2025
Merged

[v17] feat: Allow non-FIPS endpoints on FIPS binaries #52069

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e61255b
Add the dynamodbutils and stsutils packages
codingllama Feb 6, 2025
c9e1774
Add forbidigo rules
codingllama Feb 11, 2025
6029e21
Use stsutils.NewFromConfig()
codingllama Feb 12, 2025
30d00d9
Use stsutils.NewV1()
codingllama Feb 12, 2025
d385de5
Use dynamodbutils.IsFIPSEnabled()
codingllama Feb 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .golangci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,17 @@ issues:
- linters: [govet]
path-except: ^e/
text: "non-constant format string in call to github.com/gravitational/trace."
# lib/utils/aws/ subpackages are allowed to use AWS SDK constructors.
- path: lib/utils/aws/stsutils/sts.go
linters: [forbidigo]
text: 'sts.NewFromConfig'
- path: lib/utils/aws/stsutils/sts_v1.go
linters: [forbidigo]
text: 'sts.New'
# TODO(codingllama): Remove once e/ is updated.
- path: e/lib/cloud/aws/aws.go
linters: [forbidigo]
text: 'sts.NewFromConfig'
exclude-use-default: true
max-same-issues: 0
max-issues-per-linter: 0
Expand Down Expand Up @@ -270,6 +281,10 @@ linters-settings:
forbid:
- p: '^rsa\.GenerateKey$'
msg: 'generating RSA keys is slow, use lib/cryptosuites to generate an appropriate key type'
- p: '^sts\.NewFromConfig$'
msg: 'Use stsutils.NewFromConfig'
- p: '^sts\.New$'
msg: 'Use stsutils.NewV1'

run:
go: '1.23'
Expand Down
3 changes: 2 additions & 1 deletion integration/ec2_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ import (
"github.com/gravitational/teleport/lib/service/servicecfg"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/teleport/lib/utils"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

func newSilentLogger() utils.Logger {
Expand Down Expand Up @@ -150,7 +151,7 @@ func getCallerIdentity(ctx context.Context, t *testing.T) *sts.GetCallerIdentity
cfg.Region, err = imdsClient.GetRegion(ctx)
require.NoError(t, err, "trying to get local region from IMDSv2")
}
stsClient := sts.NewFromConfig(cfg)
stsClient := stsutils.NewFromConfig(cfg)
output, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
require.NoError(t, err)
return output
Expand Down
3 changes: 2 additions & 1 deletion lib/auth/join/iam/iam.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import (
"github.com/gravitational/trace"

cloudaws "github.com/gravitational/teleport/lib/cloud/imds/aws"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

const (
Expand Down Expand Up @@ -101,7 +102,7 @@ func CreateSignedSTSIdentityRequest(ctx context.Context, challenge string, opts
}

var signedRequest bytes.Buffer
stsClient := sts.NewFromConfig(awsConfig,
stsClient := stsutils.NewFromConfig(awsConfig,
sts.WithEndpointResolverV2(newCustomResolver(challenge)),
func(stsOpts *sts.Options) {
if options.useFIPS {
Expand Down
4 changes: 2 additions & 2 deletions lib/auth/join_ec2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,14 @@ import (
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
"github.com/aws/aws-sdk-go-v2/service/ec2"
ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/digitorus/pkcs7"
"github.com/gravitational/trace"
"github.com/jonboulle/clockwork"

"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/teleport/lib/utils"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

type ec2Client interface {
Expand Down Expand Up @@ -96,7 +96,7 @@ func checkInstanceRunning(ctx context.Context, instanceID, region, IAMRole strin

// assume the configured IAM role if necessary
if IAMRole != "" {
stsClient := sts.NewFromConfig(awsClientConfig)
stsClient := stsutils.NewFromConfig(awsClientConfig)
creds := stscreds.NewAssumeRoleProvider(stsClient, IAMRole)
awsClientConfig.Credentials = aws.NewCredentialsCache(creds)
}
Expand Down
3 changes: 2 additions & 1 deletion lib/auth/keystore/aws_kms.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ import (
"github.com/gravitational/teleport/api/utils/retryutils"
"github.com/gravitational/teleport/lib/cryptosuites"
"github.com/gravitational/teleport/lib/service/servicecfg"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

const (
Expand Down Expand Up @@ -81,7 +82,7 @@ func newAWSKMSKeystore(ctx context.Context, cfg *servicecfg.AWSKMSConfig, opts *
return nil, trace.Wrap(err, "loading default AWS config")
}
if stsClient == nil {
stsClient = sts.NewFromConfig(awsCfg)
stsClient = stsutils.NewFromConfig(awsCfg)
}
if kmsClient == nil {
kmsClient = kms.NewFromConfig(awsCfg)
Expand Down
5 changes: 3 additions & 2 deletions lib/backend/dynamo/dynamodbbk.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,9 @@ import (
"github.com/gravitational/teleport/api/utils"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/modules"
awsmetrics "github.com/gravitational/teleport/lib/observability/metrics/aws"
dynamometrics "github.com/gravitational/teleport/lib/observability/metrics/dynamo"
"github.com/gravitational/teleport/lib/utils/aws/dynamodbutils"
"github.com/gravitational/teleport/lib/utils/aws/endpoint"
)

Expand Down Expand Up @@ -287,7 +287,8 @@ func New(ctx context.Context, params backend.Params) (*Backend, error) {
// FIPS settings are applied on the individual service instead of the aws config,
// as DynamoDB Streams and Application Auto Scaling do not yet have FIPS endpoints in non-GovCloud.
// See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service
if modules.GetModules().IsBoringBinary() {
useFIPS := dynamodbutils.IsFIPSEnabled()
if useFIPS {
dynamoOpts = append(dynamoOpts, func(o *dynamodb.Options) {
o.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
})
Expand Down
6 changes: 3 additions & 3 deletions lib/cloud/clients.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,6 @@ import (
"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"
"github.com/aws/aws-sdk-go/service/ssm"
"github.com/aws/aws-sdk-go/service/ssm/ssmiface"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/aws/aws-sdk-go/service/sts/stsiface"
"github.com/gravitational/trace"
"github.com/sirupsen/logrus"
Expand All @@ -82,6 +81,7 @@ import (
gcpimds "github.com/gravitational/teleport/lib/cloud/imds/gcp"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/utils"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

// Clients provides interface for obtaining cloud provider clients.
Expand Down Expand Up @@ -607,7 +607,7 @@ func (c *cloudClients) GetAWSSTSClient(ctx context.Context, region string, opts
if err != nil {
return nil, trace.Wrap(err)
}
return sts.New(session), nil
return stsutils.NewV1(session), nil
}

// GetAWSEC2Client returns AWS EC2 client for the specified region.
Expand Down Expand Up @@ -880,7 +880,7 @@ func (c *cloudClients) getAWSSessionForRole(ctx context.Context, region string,
}

createSession := func(ctx context.Context) (*awssession.Session, error) {
stsClient := sts.New(options.baseSession)
stsClient := stsutils.NewV1(options.baseSession)
return newSessionWithRole(ctx, stsClient, region, options.assumeRoleARN, options.assumeRoleExternalID)
}

Expand Down
3 changes: 2 additions & 1 deletion lib/configurators/aws/aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ import (
"github.com/gravitational/teleport/lib/srv/db/secrets"
"github.com/gravitational/teleport/lib/utils"
awsutils "github.com/gravitational/teleport/lib/utils/aws"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

const (
Expand Down Expand Up @@ -388,7 +389,7 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error {
}

if c.stsClient == nil {
c.stsClient = sts.NewFromConfig(*c.awsCfg)
c.stsClient = stsutils.NewFromConfig(*c.awsCfg)
}
if c.iamClient == nil {
c.iamClient = iam.NewFromConfig(*c.awsCfg)
Expand Down
5 changes: 3 additions & 2 deletions lib/events/dynamoevents/dynamoevents.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,10 @@ import (
apievents "github.com/gravitational/teleport/api/types/events"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/modules"
awsmetrics "github.com/gravitational/teleport/lib/observability/metrics/aws"
dynamometrics "github.com/gravitational/teleport/lib/observability/metrics/dynamo"
"github.com/gravitational/teleport/lib/utils"
"github.com/gravitational/teleport/lib/utils/aws/dynamodbutils"
"github.com/gravitational/teleport/lib/utils/aws/endpoint"
)

Expand Down Expand Up @@ -324,7 +324,8 @@ func New(ctx context.Context, cfg Config) (*Log, error) {
// FIPS settings are applied on the individual service instead of the aws config,
// as DynamoDB Streams and Application Auto Scaling do not yet have FIPS endpoints in non-GovCloud.
// See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service
if modules.GetModules().IsBoringBinary() && cfg.UseFIPSEndpoint == types.ClusterAuditConfigSpecV2_FIPS_ENABLED {
if dynamodbutils.IsFIPSEnabled() &&
cfg.UseFIPSEndpoint == types.ClusterAuditConfigSpecV2_FIPS_ENABLED {
dynamoOpts = append(dynamoOpts, func(o *dynamodb.Options) {
o.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
})
Expand Down
33 changes: 22 additions & 11 deletions lib/events/dynamoevents/dynamoevents_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -610,21 +610,34 @@ func randStringAlpha(n int) string {
}

func TestEndpoints(t *testing.T) {
// Don't t.Parallel(), uses t.Setenv and modules.SetTestModules.

tests := []struct {
name string
fips bool
name string
fips bool
envVarValue string // value for the _DISABLE_FIPS environment variable
wantFIPSError bool
}{
{
name: "fips",
fips: true,
name: "fips",
fips: true,
wantFIPSError: true,
},
{
name: "fips with env skip",
fips: true,
envVarValue: "yes",
wantFIPSError: false,
},
{
name: "without fips",
name: "without fips",
wantFIPSError: false,
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Setenv("TELEPORT_UNSTABLE_DISABLE_AWS_FIPS", tt.envVarValue)

fips := types.ClusterAuditConfigSpecV2_FIPS_DISABLED
if tt.fips {
Expand Down Expand Up @@ -658,15 +671,13 @@ func TestEndpoints(t *testing.T) {
})
// FIPS mode should fail because it is a violation to enable FIPS
// while also setting a custom endpoint.
if tt.fips {
assert.Error(t, err)
require.ErrorContains(t, err, "FIPS")
if tt.wantFIPSError {
assert.ErrorContains(t, err, "FIPS")
return
}

assert.Error(t, err)
assert.Nil(t, b)
require.ErrorContains(t, err, fmt.Sprintf("StatusCode: %d", http.StatusTeapot))
assert.ErrorContains(t, err, fmt.Sprintf("StatusCode: %d", http.StatusTeapot))
assert.Nil(t, b, "backend not nil")
})
}
}
Expand Down
4 changes: 2 additions & 2 deletions lib/integrations/awsoidc/accessgraph_sync.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@ import (

"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/gravitational/trace"

awslib "github.com/gravitational/teleport/lib/cloud/aws"
"github.com/gravitational/teleport/lib/cloud/provisioning"
"github.com/gravitational/teleport/lib/cloud/provisioning/awsactions"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

const (
Expand Down Expand Up @@ -90,7 +90,7 @@ func NewAccessGraphIAMConfigureClient(ctx context.Context) (AccessGraphIAMConfig
}

return &defaultTAGIAMConfigureClient{
CallerIdentityGetter: sts.NewFromConfig(cfg),
CallerIdentityGetter: stsutils.NewFromConfig(cfg),
Client: iam.NewFromConfig(cfg),
}, nil
}
Expand Down
4 changes: 2 additions & 2 deletions lib/integrations/awsoidc/aws_app_access_iam_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/gravitational/trace"

awslib "github.com/gravitational/teleport/lib/cloud/aws"
"github.com/gravitational/teleport/lib/cloud/provisioning"
"github.com/gravitational/teleport/lib/cloud/provisioning/awsactions"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

const (
Expand Down Expand Up @@ -109,7 +109,7 @@ func NewAWSAppAccessConfigureClient(ctx context.Context) (AWSAppAccessConfigureC

return &defaultAWSAppAccessConfigureClient{
Client: iam.NewFromConfig(cfg),
CallerIdentityGetter: sts.NewFromConfig(cfg),
CallerIdentityGetter: stsutils.NewFromConfig(cfg),
}, nil
}

Expand Down
5 changes: 3 additions & 2 deletions lib/integrations/awsoidc/clients.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
"github.com/gravitational/trace"

awsutils "github.com/gravitational/teleport/api/utils/aws"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

// AWSClientRequest contains the required fields to set up an AWS service client.
Expand Down Expand Up @@ -85,7 +86,7 @@ func newAWSConfig(ctx context.Context, req *AWSClientRequest) (*aws.Config, erro
}

cfg.Credentials = stscreds.NewWebIdentityRoleProvider(
sts.NewFromConfig(cfg),
stsutils.NewFromConfig(cfg),
req.RoleARN,
IdentityToken(req.Token),
)
Expand Down Expand Up @@ -129,7 +130,7 @@ func newSTSClient(ctx context.Context, req *AWSClientRequest) (*sts.Client, erro
return nil, trace.Wrap(err)
}

return sts.NewFromConfig(*cfg), nil
return stsutils.NewFromConfig(*cfg), nil
}

// newEC2Client creates an [ec2.Client] using the provided Token, RoleARN and Region.
Expand Down
4 changes: 2 additions & 2 deletions lib/integrations/awsoidc/clientsv1.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ import (
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/endpoints"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/gravitational/trace"

"github.com/gravitational/teleport/api/types"
utilsaws "github.com/gravitational/teleport/api/utils/aws"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

// FetchToken returns the token.
Expand Down Expand Up @@ -92,7 +92,7 @@ func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region
return []byte(token), trace.Wrap(err)
}

stsSTS := sts.New(sess)
stsSTS := stsutils.NewV1(sess)
roleProvider := stscreds.NewWebIdentityRoleProviderWithOptions(
stsSTS,
awsOIDCIntegration.RoleARN,
Expand Down
4 changes: 2 additions & 2 deletions lib/integrations/awsoidc/credprovider/integration_config_provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ import (
"github.com/aws/aws-sdk-go-v2/aws/arn"
awsConfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/gravitational/trace"
"github.com/jonboulle/clockwork"

"github.com/gravitational/teleport"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/utils/aws/stsutils"
)

// Options represents additional options for configuring the AWS credentials provider.
Expand All @@ -53,7 +53,7 @@ func CreateAWSConfigForIntegration(ctx context.Context, config Config, option ..
return nil, trace.Wrap(err)
}
if config.STSClient == nil {
config.STSClient = sts.NewFromConfig(*cacheAWSConfig)
config.STSClient = stsutils.NewFromConfig(*cacheAWSConfig)
}
credCache, err := newAWSCredCache(ctx, config, config.STSClient)
if err != nil {
Expand Down
Loading