apiclient: separate HTTP and HTTPS resolvers behind TLS feature flag

Split HttpUri into HttpUri (http://) and HttpsUri (https://), with
HttpsUri gated behind the tls feature flag alongside other TLS-dependent
resolvers (S3, SSM, Secrets Manager).

Signed-off-by: Kyle Sessions <kssessio@amazon.com>

Author: KCSesh

sources/Cargo.toml

@@ -121,7 +121,7 @@ aws-lc-rs = "=1.13.0"
 aws-sdk-cloudformation = "1"
 aws-sdk-ec2 = "1"
 aws-sdk-eks = "1"
-# Pin S3 <=1.85.0 and checksums <=0.63.1 to avoid crc-fast (no LTO support until v2.0)
+# Pin aws-sdk-s3 <=1.85.0 and aws-smithy-checksums <=0.63.1 to avoid crc-fast (no LTO support until v2.0)
 aws-sdk-s3 = "=1.85.0"
 aws-sdk-secretsmanager = "1"
 aws-sdk-ssm = "1"

sources/api/apiclient/src/apply.rs

@@ -71,7 +71,10 @@ where
 {
     let settings = SettingsInput::new(input_source.as_ref());
     let resolver = select_resolver(&settings).context(error::ResolverFailureSnafu)?;
-    resolver.resolve().await.context(error::ResolverFailureSnafu)
+    resolver
+        .resolve()
+        .await
+        .context(error::ResolverFailureSnafu)
 }
 
 /// Takes a string of TOML or JSON settings data and reserializes
@@ -211,7 +214,7 @@ mod resolver_selection_tests {
     #[test_case("base64:SGVsbG8=",                                                  TypeId::of::<crate::uri_resolver::Base64Uri>();                 "base64")]
     #[test_case("file:///tmp/folder",                                               TypeId::of::<crate::uri_resolver::FileUri>();                   "file")]
     #[test_case("http://amazon.com",                                                TypeId::of::<crate::uri_resolver::HttpUri>();                   "http")]
-    #[test_case("https://amazon.com",                                               TypeId::of::<crate::uri_resolver::HttpUri>();                   "https")]
+    #[test_case("https://amazon.com",                                               TypeId::of::<crate::tls_resolvers::HttpsUri>();                 "https")]
     #[test_case("s3://mybucket/path",                                               TypeId::of::<crate::uri_resolver::S3Uri>();                     "s3")]
     #[test_case("secretsmanager://sec",                                             TypeId::of::<crate::uri_resolver::SecretsManagerUri>();         "secrets")]
     #[test_case("ssm://param",                                                      TypeId::of::<crate::uri_resolver::SsmUri>();                    "ssmUri")]

sources/api/apiclient/src/lib.rs

@@ -28,9 +28,9 @@ pub mod network;
 pub mod reboot;
 pub mod report;
 pub mod set;
-pub mod update;
 #[cfg(feature = "tls")]
-pub mod cloud_resolvers;
+pub mod tls_resolvers;
+pub mod update;
 pub mod uri_resolver;
 
 mod error {

…ces/api/apiclient/src/cloud_resolvers.rs …urces/api/apiclient/src/tls_resolvers.rssources/api/apiclient/src/cloud_resolvers.rs renamed to sources/api/apiclient/src/tls_resolvers.rs sources/api/apiclient/src/cloud_resolvers.rs renamed to sources/api/apiclient/src/tls_resolvers.rs

@@ -1,10 +1,11 @@
-//! AWS cloud-based URI resolvers (S3, Secrets Manager, SSM Parameter Store).
+//! TLS-dependent URI resolvers (HTTPS, S3, Secrets Manager, SSM Parameter Store).
 //!
 //! This module is only compiled when the `tls` feature is enabled.
 
 use crate::uri_resolver::SettingsInput;
 use crate::uri_resolver::{ResolverResult, UriResolver, MAX_SIZE_BYTES};
 use async_trait::async_trait;
+use reqwest::Url;
 use snafu::{ensure, OptionExt, ResultExt, Snafu};
 use std::convert::TryFrom;
 
@@ -13,6 +14,68 @@ use aws_sdk_s3;
 use aws_sdk_secretsmanager;
 use aws_sdk_ssm;
 
+pub struct HttpsUri {
+    url: Url,
+}
+
+impl TryFrom<&SettingsInput> for HttpsUri {
+    type Error = crate::uri_resolver::ResolverError;
+    fn try_from(input: &SettingsInput) -> ResolverResult<Self> {
+        use tls_resolver_error::*;
+        let url = input.parsed_url.clone().context(InvalidHttpsUriSnafu {
+            input_source: input.input.clone(),
+        })?;
+        ensure!(
+            url.scheme() == "https",
+            InvalidHttpsUriSnafu {
+                input_source: url.to_string()
+            }
+        );
+        Ok(HttpsUri { url })
+    }
+}
+
+#[async_trait]
+impl UriResolver for HttpsUri {
+    async fn resolve(&self) -> ResolverResult<String> {
+        use crate::uri_resolver::resolver_error::*;
+        let uri_str = self.url.to_string();
+        let resp = reqwest::get(self.url.clone())
+            .await
+            .context(HttpRequestSnafu { uri: &uri_str })?;
+        ensure!(
+            resp.status().is_success(),
+            HttpStatusSnafu {
+                uri: &uri_str,
+                status: resp.status(),
+            }
+        );
+        if let Some(content_length) = resp.content_length() {
+            ensure!(
+                content_length < MAX_SIZE_BYTES,
+                HttpObjectTooLargeSnafu {
+                    size: content_length,
+                    max_size: MAX_SIZE_BYTES,
+                    uri: &uri_str,
+                }
+            );
+        }
+        let bytes = resp
+            .bytes()
+            .await
+            .context(HttpBodySnafu { uri: &uri_str })?;
+        ensure!(
+            bytes.len() as u64 <= MAX_SIZE_BYTES,
+            HttpObjectTooLargeSnafu {
+                size: bytes.len() as u64,
+                max_size: MAX_SIZE_BYTES,
+                uri: &uri_str,
+            }
+        );
+        String::from_utf8(bytes.to_vec()).context(Utf8DecodeSnafu { uri: uri_str })
+    }
+}
+
 struct Arn {
     service: String,
     region: String,
@@ -53,7 +116,7 @@ pub struct S3Uri {
 impl TryFrom<&SettingsInput> for S3Uri {
     type Error = crate::uri_resolver::ResolverError;
     fn try_from(input: &SettingsInput) -> ResolverResult<Self> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         const PREFIX: &str = "s3://";
         let uri_str = input.input.as_str();
         let remainder = uri_str.strip_prefix(PREFIX).context(S3UriSchemeSnafu {
@@ -76,7 +139,7 @@ impl TryFrom<&SettingsInput> for S3Uri {
 #[async_trait]
 impl UriResolver for S3Uri {
     async fn resolve(&self) -> ResolverResult<String> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         let cfg = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
         let client = aws_sdk_s3::Client::new(&cfg);
 
@@ -91,10 +154,12 @@ impl UriResolver for S3Uri {
                 key: self.key.clone(),
             })?;
 
-        let size = head_resp.content_length.context(S3MissingContentLengthSnafu {
-            bucket: self.bucket.clone(),
-            key: self.key.clone(),
-        })? as u64;
+        let size = head_resp
+            .content_length
+            .context(S3MissingContentLengthSnafu {
+                bucket: self.bucket.clone(),
+                key: self.key.clone(),
+            })? as u64;
 
         ensure!(
             size < MAX_SIZE_BYTES,
@@ -122,9 +187,11 @@ impl UriResolver for S3Uri {
             key: self.key.clone(),
         })?;
 
-        String::from_utf8(bytes.to_vec()).context(crate::uri_resolver::resolver_error::Utf8DecodeSnafu {
-            uri: format!("s3://{}/{}", self.bucket, self.key),
-        })
+        String::from_utf8(bytes.to_vec()).context(
+            crate::uri_resolver::resolver_error::Utf8DecodeSnafu {
+                uri: format!("s3://{}/{}", self.bucket, self.key),
+            },
+        )
     }
 }
 
@@ -137,7 +204,7 @@ impl TryFrom<&SettingsInput> for SecretsManagerArn {
     type Error = crate::uri_resolver::ResolverError;
     fn try_from(input: &SettingsInput) -> ResolverResult<Self> {
         use crate::uri_resolver::resolver_error::InvalidArnFormatSnafu;
-        use cloud_error::SecretsManagerArnSnafu;
+        use tls_resolver_error::SecretsManagerArnSnafu;
         let arn = Arn::parse(input.input.as_str())?;
         ensure!(
             arn.parts == 7,
@@ -162,9 +229,11 @@ impl TryFrom<&SettingsInput> for SecretsManagerArn {
 #[async_trait]
 impl UriResolver for SecretsManagerArn {
     async fn resolve(&self) -> ResolverResult<String> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         let cfg = aws_config::defaults(aws_config::BehaviorVersion::latest())
-            .region(aws_sdk_secretsmanager::config::Region::new(self.region.clone()))
+            .region(aws_sdk_secretsmanager::config::Region::new(
+                self.region.clone(),
+            ))
             .load()
             .await;
         let client = aws_sdk_secretsmanager::Client::new(&cfg);
@@ -196,12 +265,14 @@ pub struct SecretsManagerUri {
 impl TryFrom<&SettingsInput> for SecretsManagerUri {
     type Error = crate::uri_resolver::ResolverError;
     fn try_from(input: &SettingsInput) -> ResolverResult<Self> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         const PREFIX: &str = "secretsmanager://";
         let uri_str = input.input.as_str();
-        let remainder = uri_str.strip_prefix(PREFIX).context(SecretsManagerUriSnafu {
-            input_source: input.input.clone(),
-        })?;
+        let remainder = uri_str
+            .strip_prefix(PREFIX)
+            .context(SecretsManagerUriSnafu {
+                input_source: input.input.clone(),
+            })?;
         ensure!(
             !remainder.is_empty(),
             SecretsManagerUriSnafu {
@@ -217,7 +288,7 @@ impl TryFrom<&SettingsInput> for SecretsManagerUri {
 #[async_trait]
 impl UriResolver for SecretsManagerUri {
     async fn resolve(&self) -> ResolverResult<String> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         let cfg = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
         let client = aws_sdk_secretsmanager::Client::new(&cfg);
         let resp = client
@@ -246,7 +317,7 @@ impl TryFrom<&SettingsInput> for SsmArn {
     type Error = crate::uri_resolver::ResolverError;
     fn try_from(input: &SettingsInput) -> ResolverResult<Self> {
         use crate::uri_resolver::resolver_error::InvalidArnFormatSnafu;
-        use cloud_error::SsmArnSnafu;
+        use tls_resolver_error::SsmArnSnafu;
         let arn = Arn::parse(input.input.as_str())?;
         ensure!(
             arn.parts == 6,
@@ -271,7 +342,7 @@ impl TryFrom<&SettingsInput> for SsmArn {
 #[async_trait]
 impl UriResolver for SsmArn {
     async fn resolve(&self) -> ResolverResult<String> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         let cfg = aws_config::defaults(aws_config::BehaviorVersion::latest())
             .region(aws_sdk_ssm::config::Region::new(self.region.clone()))
             .load()
@@ -307,7 +378,7 @@ pub struct SsmUri {
 impl TryFrom<&SettingsInput> for SsmUri {
     type Error = crate::uri_resolver::ResolverError;
     fn try_from(input: &SettingsInput) -> ResolverResult<Self> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         const PREFIX: &str = "ssm://";
         let uri_str = input.input.as_str();
         let remainder = uri_str.strip_prefix(PREFIX).context(SsmUriSnafu {
@@ -328,7 +399,7 @@ impl TryFrom<&SettingsInput> for SsmUri {
 #[async_trait]
 impl UriResolver for SsmUri {
     async fn resolve(&self) -> ResolverResult<String> {
-        use cloud_error::*;
+        use tls_resolver_error::*;
         let config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
         let client = aws_sdk_ssm::Client::new(&config);
         let resp = client
@@ -352,7 +423,10 @@ impl UriResolver for SsmUri {
 
 #[derive(Debug, Snafu)]
 #[snafu(module)]
-pub enum CloudError {
+pub enum TlsResolverError {
+    #[snafu(display("Given invalid https:// URI '{}'", input_source))]
+    InvalidHttpsUri { input_source: String },
+
     #[snafu(display("Failed to HEAD S3 object s3://{bucket}/{key}: {source}"))]
     S3Head {
         source: aws_sdk_s3::error::SdkError<
@@ -380,7 +454,11 @@ pub enum CloudError {
         source: aws_sdk_s3::primitives::ByteStreamError,
     },
 
-    #[snafu(display("Failed to fetch secret '{}' from Secrets Manager: {}", secret_id, source))]
+    #[snafu(display(
+        "Failed to fetch secret '{}' from Secrets Manager: {}",
+        secret_id,
+        source
+    ))]
     SecretsManagerGet {
         secret_id: String,
         source: aws_sdk_secretsmanager::error::SdkError<
@@ -391,11 +469,19 @@ pub enum CloudError {
     #[snafu(display("Failed to fetch parameter '{}' from SSM: {}", parameter_name, source))]
     SsmGetParameter {
         parameter_name: String,
-        source: aws_sdk_ssm::error::SdkError<aws_sdk_ssm::operation::get_parameter::GetParameterError>,
+        source:
+            aws_sdk_ssm::error::SdkError<aws_sdk_ssm::operation::get_parameter::GetParameterError>,
     },
 
-    #[snafu(display("S3 object s3://{bucket}/{key} is too large ({size} bytes, maximum is {max_size} bytes)"))]
-    S3ObjectTooLarge { size: u64, max_size: u64, bucket: String, key: String },
+    #[snafu(display(
+        "S3 object s3://{bucket}/{key} is too large ({size} bytes, maximum is {max_size} bytes)"
+    ))]
+    S3ObjectTooLarge {
+        size: u64,
+        max_size: u64,
+        bucket: String,
+        key: String,
+    },
 
     #[snafu(display("Invalid S3 URI scheme for '{}', expected s3://", input_source))]
     S3UriScheme { input_source: String },
@@ -409,16 +495,25 @@ pub enum CloudError {
     #[snafu(display("No Content-Length for S3 object {bucket}/{key}"))]
     S3MissingContentLength { bucket: String, key: String },
 
-    #[snafu(display("Invalid Secrets Manager URI scheme for '{}', expected secretsmanager://", input_source))]
+    #[snafu(display(
+        "Invalid Secrets Manager URI scheme for '{}', expected secretsmanager://",
+        input_source
+    ))]
     SecretsManagerUri { input_source: String },
 
     #[snafu(display("Secrets Manager secret '{}' did not return a string value", secret_id))]
     SecretsManagerStringMissing { secret_id: String },
 
-    #[snafu(display("Invalid Secrets Manager ARN scheme for '{}', expected arn:aws:secretsmanager:…", input_source))]
+    #[snafu(display(
+        "Invalid Secrets Manager ARN scheme for '{}', expected arn:aws:secretsmanager:…",
+        input_source
+    ))]
     SecretsManagerArn { input_source: String },
 
-    #[snafu(display("Invalid SSM ARN scheme for '{}', expected arn:aws:ssm:…", input_source))]
+    #[snafu(display(
+        "Invalid SSM ARN scheme for '{}', expected arn:aws:ssm:…",
+        input_source
+    ))]
     SsmArn { input_source: String },
 
     #[snafu(display("SSM ARN parameter '{}' did not return a string value", parameter_name))]
@@ -430,3 +525,26 @@ pub enum CloudError {
     #[snafu(display("SSM parameter '{}' did not return a string value", parameter_name))]
     SsmParameterMissing { parameter_name: String },
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use test_case::test_case;
+
+    #[test_case("https://example.com/foo", "https://example.com/foo"; "https_ok")]
+    fn parse_https(input: &str, expected: &str) {
+        let settings = SettingsInput::new(input);
+        let uri = HttpsUri::try_from(&settings).expect("should parse HTTPS URI");
+        assert_eq!(uri.url.as_str(), expected);
+    }
+
+    #[test_case("http://example.com"; "http_rejected")]
+    #[test_case("ftp://example.com"; "unsupported_scheme")]
+    fn parse_https_fail(input: &str) {
+        let settings = SettingsInput::new(input);
+        assert!(
+            HttpsUri::try_from(&settings).is_err(),
+            "should reject non-HTTPS URI"
+        );
+    }
+}