From 4ecb6bf811ce3c50e6eefab94d85e6d7552a2455 Mon Sep 17 00:00:00 2001 From: Gavin Inglis Date: Thu, 24 Oct 2024 22:14:25 +0000 Subject: [PATCH] schnauzer: extend ecr-prefix for FIPS endpoints Port of https://github.com/bottlerocket-os/bottlerocket-core-kit/commit/70a95dac6ab5dfb90656c0f99ad2aa0a790833de Signed-off-by: Gavin Inglis --- sources/api/schnauzer/src/helpers.rs | 38 +++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/sources/api/schnauzer/src/helpers.rs b/sources/api/schnauzer/src/helpers.rs index 7defe32fa06..2857073028c 100644 --- a/sources/api/schnauzer/src/helpers.rs +++ b/sources/api/schnauzer/src/helpers.rs @@ -16,7 +16,7 @@ use serde_plain::derive_fromstr_from_deserialize; use settings_extension_oci_defaults::OciDefaultsResourceLimitV1; use snafu::{OptionExt, ResultExt}; use std::borrow::Borrow; -use std::collections::HashMap; +use std::collections::{HashMap, HashSet}; use std::convert::TryFrom; use std::net::{IpAddr, Ipv4Addr, Ipv6Addr}; use std::str::FromStr; @@ -63,6 +63,19 @@ lazy_static! { m.insert("us-west-2", "328549459982"); m }; + + /// A set to tell us which regions have FIPS ECR endpoints. + /// https://docs.aws.amazon.com/general/latest/gr/ecr.html + static ref ECR_FIPS_REGIONS: HashSet<&'static str> = { + let mut h = HashSet::new(); + h.insert("us-east-1"); + h.insert("us-east-2"); + h.insert("us-gov-east-1"); + h.insert("us-gov-west-1"); + h.insert("us-west-1"); + h.insert("us-west-2"); + h + }; } /// But if there is a region that does not exist in our map (for example a new @@ -71,6 +84,9 @@ lazy_static! { const ECR_FALLBACK_REGION: &str = "us-east-1"; const ECR_FALLBACK_REGISTRY: &str = "328549459982"; +/// Path to FIPS sysctl file. +const FIPS_ENABLED_SYSCTL_PATH: &str = "/proc/sys/crypto/fips_enabled"; + lazy_static! { /// A map to tell us which endpoint to pull updates from for a given region. static ref TUF_ENDPOINT_MAP: HashMap<&'static str, &'static str> = { @@ -132,7 +148,6 @@ mod error { value: handlebars::JsonValue, template: String, }, - #[snafu(display( "Incorrect number of params provided to helper '{}' in template '{}' - {} expected, {} received", helper, @@ -797,6 +812,14 @@ pub fn tuf_prefix( Ok(()) } +/// Utility function to determine if a variant is in FIPS mode based +/// on /proc/sys/crypto/fips_enabled. +fn fips_enabled() -> bool { + std::fs::read_to_string(FIPS_ENABLED_SYSCTL_PATH) + .map(|s| s.trim() == "1") + .unwrap_or(false) +} + /// The `metadata-prefix` helper is used to map an AWS region to the correct /// metadata location inside of the TUF repository. /// @@ -1812,7 +1835,16 @@ fn ecr_registry>(region: S) -> String { match partition { "aws-cn" => format!("{}.dkr.ecr.{}.amazonaws.com.cn", registry_id, region), "aws-iso-e" => format!("{}.dkr.ecr.{}.cloud.adc-e.uk", registry_id, region), - _ => format!("{}.dkr.ecr.{}.amazonaws.com", registry_id, region), + _ => { + // Only inject the FIPS service endpoint if the variant is in FIPS mode and the + // region supports FIPS. + let suffix = if fips_enabled() && ECR_FIPS_REGIONS.contains(region) { + "-fips" + } else { + "" + }; + format!("{}.dkr.ecr{}.{}.amazonaws.com", registry_id, suffix, region) + } } }