Update S3 ARN Handling for AccessPoints and Outpost ARNs (#1278)

skmcgrail · web-flow · commit 6c0b6b4dff9d · 2021-06-04T08:57:07.000-07:00
diff --git a/service/internal/s3shared/arn/accesspoint_arn.go b/service/internal/s3shared/arn/accesspoint_arn.go
@@ -28,6 +28,9 @@ func ParseAccessPointResource(a arn.ARN, resParts []string) (AccessPointARN, err
 	if len(a.Region) == 0 {
 		return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "region not set"}
 	}
+	if isFIPS(a.Region) {
+		return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "FIPS region not allowed in ARN"}
+	}
 	if len(a.AccountID) == 0 {
 		return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "account-id not set"}
 	}
@@ -48,3 +51,7 @@ func ParseAccessPointResource(a arn.ARN, resParts []string) (AccessPointARN, err
 		AccessPointName: resID,
 	}, nil
 }
+
+func isFIPS(region string) bool {
+	return strings.HasPrefix(region, "fips-") || strings.HasSuffix(region, "-fips")
+}
diff --git a/service/internal/s3shared/arn/accesspoint_arn_test.go b/service/internal/s3shared/arn/accesspoint_arn_test.go
@@ -81,6 +81,26 @@ func TestParseAccessPointResource(t *testing.T) {
 				AccessPointName: "endpoint",
 			},
 		},
+		"invalid FIPS pseudo region in ARN (prefix)": {
+			ARN: arn.ARN{
+				Partition: "aws",
+				Service:   "s3",
+				Region:    "fips-us-west-2",
+				AccountID: "012345678901",
+				Resource:  "accesspoint/endpoint",
+			},
+			ExpectErr: "FIPS region not allowed in ARN",
+		},
+		"invalid FIPS pseudo region in ARN (suffix)": {
+			ARN: arn.ARN{
+				Partition: "aws",
+				Service:   "s3",
+				Region:    "us-west-2-fips",
+				AccountID: "012345678901",
+				Resource:  "accesspoint/endpoint",
+			},
+			ExpectErr: "FIPS region not allowed in ARN",
+		},
 	}
 
 	for name, c := range cases {
diff --git a/service/internal/s3shared/arn/outpost_arn.go b/service/internal/s3shared/arn/outpost_arn.go
@@ -31,6 +31,10 @@ func ParseOutpostARNResource(a arn.ARN, resParts []string) (OutpostARN, error) {
 		return nil, InvalidARNError{ARN: a, Reason: "region not set"}
 	}
 
+	if isFIPS(a.Region) {
+		return nil, InvalidARNError{ARN: a, Reason: "FIPS region not allowed in ARN"}
+	}
+
 	if len(a.AccountID) == 0 {
 		return nil, InvalidARNError{ARN: a, Reason: "account-id not set"}
 	}
diff --git a/service/internal/s3shared/arn/outpost_arn_test.go b/service/internal/s3shared/arn/outpost_arn_test.go
@@ -94,6 +94,26 @@ func TestParseOutpostAccessPointARNResource(t *testing.T) {
 				OutpostID: "myoutpost",
 			},
 		},
+		"invalid FIPS pseudo region in ARN (prefix)": {
+			ARN: arn.ARN{
+				Partition: "aws",
+				Service:   "s3-outposts",
+				Region:    "fips-us-west-2",
+				AccountID: "012345678901",
+				Resource:  "outpost/myoutpost/accesspoint/myendpoint",
+			},
+			ExpectErr: "FIPS region not allowed in ARN",
+		},
+		"invalid FIPS pseudo region in ARN (suffix)": {
+			ARN: arn.ARN{
+				Partition: "aws",
+				Service:   "s3-outposts",
+				Region:    "us-west-2-fips",
+				AccountID: "012345678901",
+				Resource:  "outpost/myoutpost/accesspoint/myendpoint",
+			},
+			ExpectErr: "FIPS region not allowed in ARN",
+		},
 	}
 
 	for name, c := range cases {
diff --git a/service/internal/s3shared/endpoint_error.go b/service/internal/s3shared/endpoint_error.go
@@ -58,6 +58,8 @@ func NewInvalidARNWithUnsupportedPartitionError(resource arn.Resource, err error
 }
 
 // NewInvalidARNWithFIPSError ARN not supported for FIPS region
+//
+// Deprecated: FIPS will not appear in the ARN region component.
 func NewInvalidARNWithFIPSError(resource arn.Resource, err error) InvalidARNError {
 	return InvalidARNError{
 		message:  "resource ARN not supported for FIPS region",
@@ -136,6 +138,17 @@ func NewClientConfiguredForFIPSError(resource arn.Resource, clientPartitionID, c
 	}
 }
 
+// NewFIPSConfigurationError denotes a configuration error when a client or request is configured for FIPS
+func NewFIPSConfigurationError(resource arn.Resource, clientPartitionID, clientRegion string, err error) ConfigurationError {
+	return ConfigurationError{
+		message:           "use of ARN is not supported when client or request is configured for FIPS",
+		origErr:           err,
+		resource:          resource,
+		clientPartitionID: clientPartitionID,
+		clientRegion:      clientRegion,
+	}
+}
+
 // NewClientConfiguredForAccelerateError denotes client config error for unsupported S3 accelerate
 func NewClientConfiguredForAccelerateError(resource arn.Resource, clientPartitionID, clientRegion string, err error) ConfigurationError {
 	return ConfigurationError{
diff --git a/service/internal/s3shared/resource_request.go b/service/internal/s3shared/resource_request.go
@@ -35,6 +35,8 @@ func (r ResourceRequest) UseFips() bool {
 }
 
 // ResourceConfiguredForFIPS returns true if resource ARNs region is FIPS
+//
+// Deprecated: FIPS will not be present in the ARN region
 func (r ResourceRequest) ResourceConfiguredForFIPS() bool {
 	return IsFIPS(r.ARN().Region)
 }
@@ -68,8 +70,8 @@ func (r ResourceRequest) IsCrossRegion() bool {
 	return !strings.EqualFold(v, r.Resource.GetARN().Region)
 }
 
-// IsFIPS returns true if region is a fips region
-func IsFIPS(clientRegion string) bool {
-	return (strings.HasPrefix(clientRegion, "fips-") ||
-		strings.HasSuffix(clientRegion, "-fips"))
+// IsFIPS returns true if region is a fips pseudo-region
+func IsFIPS(region string) bool {
+	return strings.HasPrefix(region, "fips-") ||
+		strings.HasSuffix(region, "-fips")
 }
diff --git a/service/s3/internal/customizations/process_arn_resource.go b/service/s3/internal/customizations/process_arn_resource.go
@@ -185,9 +185,10 @@ func (m *processARNResource) HandleSerialize(
 				resourceRequest.PartitionID, resourceRequest.RequestRegion, nil)
 		}
 
-		// check if resource arn region is FIPS
-		if resourceRequest.ResourceConfiguredForFIPS() {
-			return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)
+		// check if request region is FIPS
+		if resourceRequest.UseFips() {
+			return out, metadata, s3shared.NewFIPSConfigurationError(tv, resourceRequest.PartitionID,
+				resourceRequest.RequestRegion, nil)
 		}
 
 		// build outpost access point request
diff --git a/service/s3/internal/customizations/update_endpoint_test.go b/service/s3/internal/customizations/update_endpoint_test.go
@@ -442,31 +442,28 @@ func TestEndpointWithARN(t *testing.T) {
 			expectedSigningName:   "s3-outposts",
 			expectedSigningRegion: "us-gov-east-1",
 		},
-		"Outpost AccessPoint Fips region": {
+		"Outpost AccessPoint FIPS cross-region": {
 			bucket: "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
 			options: s3.Options{
 				Region: "fips-us-gov-west-1",
 			},
 			expectedErr: "ConfigurationError : client region does not match provided ARN region",
 		},
-		"Outpost AccessPoint Fips region in Arn": {
-			bucket: "arn:aws-us-gov:s3-outposts:fips-us-gov-west-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
+		"Outpost AccessPoint with FIPS client cross-region": {
+			bucket: "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
 			options: s3.Options{
-				Region:          "fips-us-gov-west-1",
-				EndpointOptions: endpoints.Options{DisableHTTPS: true},
-				UseARNRegion:    true,
+				Region:       "fips-us-gov-west-1",
+				UseARNRegion: true,
 			},
-			expectedErr: "InvalidARNError : resource ARN not supported for FIPS region",
+			expectedErr: "use of ARN is not supported when client or request is configured for FIPS",
 		},
-		"Outpost AccessPoint Fips region with valid ARN region": {
-			bucket: "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
+		"Outpost AccessPoint with FIPS client matching region": {
+			bucket: "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
 			options: s3.Options{
 				Region:       "fips-us-gov-west-1",
 				UseARNRegion: true,
 			},
-			expectedReqURL:        "https://myaccesspoint-123456789012.op-01234567890123456.s3-outposts.us-gov-east-1.amazonaws.com/testkey?x-id=GetObject",
-			expectedSigningName:   "s3-outposts",
-			expectedSigningRegion: "us-gov-east-1",
+			expectedErr: "use of ARN is not supported when client or request is configured for FIPS",
 		},
 		"Outpost AccessPoint with Immutable Endpoint": {
 			bucket: "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
@@ -809,6 +806,54 @@ func TestEndpointWithARN(t *testing.T) {
 			expectedSigningName:   "s3",
 			expectedSigningRegion: "us-west-2",
 		},
+		"Invalid AccessPoint ARN with FIPS pseudo-region (prefix)": {
+			bucket: "arn:aws:s3:fips-us-east-1:123456789012:accesspoint:myendpoint",
+			options: s3.Options{
+				Region:       "us-west-2",
+				UseARNRegion: true,
+			},
+			expectedErr: "FIPS region not allowed in ARN",
+		},
+		"Invalid AccessPoint ARN with FIPS pseudo-region (suffix)": {
+			bucket: "arn:aws:s3:us-east-1-fips:123456789012:accesspoint:myendpoint",
+			options: s3.Options{
+				Region:       "us-west-2",
+				UseARNRegion: true,
+			},
+			expectedErr: "FIPS region not allowed in ARN",
+		},
+		"Invalid Outpost AccessPoint ARN with FIPS pseudo-region (prefix)": {
+			bucket: "arn:aws:s3-outposts:fips-us-east-1:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
+			options: s3.Options{
+				Region:       "us-west-2",
+				UseARNRegion: true,
+			},
+			expectedErr: "FIPS region not allowed in ARN",
+		},
+		"Invalid Outpost AccessPoint ARN with FIPS pseudo-region (suffix)": {
+			bucket: "arn:aws:s3-outposts:us-east-1-fips:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint",
+			options: s3.Options{
+				Region:       "us-west-2",
+				UseARNRegion: true,
+			},
+			expectedErr: "FIPS region not allowed in ARN",
+		},
+		"Invalid Object Lambda ARN with FIPS pseudo-region (prefix)": {
+			bucket: "arn:aws:s3-object-lambda:fips-us-east-1:123456789012:accesspoint/myap",
+			options: s3.Options{
+				Region:       "us-west-2",
+				UseARNRegion: true,
+			},
+			expectedErr: "FIPS region not allowed in ARN",
+		},
+		"Invalid Object Lambda ARN with FIPS pseudo-region (suffix)": {
+			bucket: "arn:aws:s3-object-lambda:us-east-1-fips:123456789012:accesspoint/myap",
+			options: s3.Options{
+				Region:       "us-west-2",
+				UseARNRegion: true,
+			},
+			expectedErr: "FIPS region not allowed in ARN",
+		},
 	}
 
 	for name, c := range cases {
diff --git a/service/s3control/internal/customizations/process_arn_resource.go b/service/s3control/internal/customizations/process_arn_resource.go
@@ -112,8 +112,9 @@ func (m *processARNResource) HandleSerialize(
 		}
 
 		// check if resource arn region is FIPS
-		if resourceRequest.ResourceConfiguredForFIPS() {
-			return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)
+		if resourceRequest.UseFips() {
+			return out, metadata, s3shared.NewFIPSConfigurationError(tv, resourceRequest.PartitionID,
+				resourceRequest.RequestRegion, nil)
 		}
 
 		// Disable endpoint host prefix for s3-control
@@ -129,11 +130,6 @@ func (m *processARNResource) HandleSerialize(
 			return out, metadata, fmt.Errorf("error updating arnable field while serializing")
 		}
 
-		// check if request region is FIPS and ARN region usage is not allowed
-		if resourceRequest.UseFips() && !m.UseARNRegion {
-			return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)
-		}
-
 		// Add outpostID header
 		req.Header.Add(outpostIDHeader, tv.OutpostID)
 
@@ -158,8 +154,9 @@ func (m *processARNResource) HandleSerialize(
 		}
 
 		// check if resource arn region is FIPS
-		if resourceRequest.ResourceConfiguredForFIPS() {
-			return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)
+		if resourceRequest.UseFips() {
+			return out, metadata, s3shared.NewFIPSConfigurationError(tv, resourceRequest.PartitionID,
+				resourceRequest.RequestRegion, nil)
 		}
 
 		// Disable endpoint host prefix for s3-control
@@ -224,11 +221,6 @@ func validateResourceRequest(resourceRequest s3shared.ResourceRequest) error {
 			resourceRequest.PartitionID, resourceRequest.RequestRegion, nil)
 	}
 
-	// resource configured with FIPS as region is not supported by outposts
-	if resourceRequest.ResourceConfiguredForFIPS() {
-		return s3shared.NewInvalidARNWithFIPSError(resourceRequest.Resource, nil)
-	}
-
 	return nil
 }
 
diff --git a/service/s3control/internal/customizations/process_outpost_id.go b/service/s3control/internal/customizations/process_outpost_id.go
@@ -5,12 +5,11 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/aws/smithy-go/middleware"
-	smithyhttp "github.com/aws/smithy-go/transport/http"
-
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	"github.com/aws/aws-sdk-go-v2/service/internal/s3shared"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
 // processOutpostIDMiddleware is special customization middleware to be applied for operations
diff --git a/service/s3control/internal/customizations/update_endpoint_test.go b/service/s3control/internal/customizations/update_endpoint_test.go

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,9 @@ func ParseAccessPointResource(a arn.ARN, resParts []string) (AccessPointARN, err`
`28`	`28`	`if len(a.Region) == 0 {`
`29`	`29`	`return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "region not set"}`
`30`	`30`	`}`
	`31`	`+ if isFIPS(a.Region) {`
	`32`	`+ return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "FIPS region not allowed in ARN"}`
	`33`	`+ }`
`31`	`34`	`if len(a.AccountID) == 0 {`
`32`	`35`	`return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "account-id not set"}`
`33`	`36`	`}`
`@@ -48,3 +51,7 @@ func ParseAccessPointResource(a arn.ARN, resParts []string) (AccessPointARN, err`
`48`	`51`	`AccessPointName: resID,`
`49`	`52`	`}, nil`
`50`	`53`	`}`
	`54`	`+`
	`55`	`+func isFIPS(region string) bool {`
	`56`	`+ return strings.HasPrefix(region, "fips-") \|\| strings.HasSuffix(region, "-fips")`
	`57`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,10 @@ func ParseOutpostARNResource(a arn.ARN, resParts []string) (OutpostARN, error) {`
`31`	`31`	`return nil, InvalidARNError{ARN: a, Reason: "region not set"}`
`32`	`32`	`}`
`33`	`33`
	`34`	`+ if isFIPS(a.Region) {`
	`35`	`+ return nil, InvalidARNError{ARN: a, Reason: "FIPS region not allowed in ARN"}`
	`36`	`+ }`
	`37`	`+`
`34`	`38`	`if len(a.AccountID) == 0 {`
`35`	`39`	`return nil, InvalidARNError{ARN: a, Reason: "account-id not set"}`
`36`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,8 @@ func (r ResourceRequest) UseFips() bool {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`// ResourceConfiguredForFIPS returns true if resource ARNs region is FIPS`
	`38`	`+//`
	`39`	`+// Deprecated: FIPS will not be present in the ARN region`
`38`	`40`	`func (r ResourceRequest) ResourceConfiguredForFIPS() bool {`
`39`	`41`	`return IsFIPS(r.ARN().Region)`
`40`	`42`	`}`
`@@ -68,8 +70,8 @@ func (r ResourceRequest) IsCrossRegion() bool {`
`68`	`70`	`return !strings.EqualFold(v, r.Resource.GetARN().Region)`
`69`	`71`	`}`
`70`	`72`
`71`		`-// IsFIPS returns true if region is a fips region`
`72`		`-func IsFIPS(clientRegion string) bool {`
`73`		`- return (strings.HasPrefix(clientRegion, "fips-") \|\|`
`74`		`- strings.HasSuffix(clientRegion, "-fips"))`
	`73`	`+// IsFIPS returns true if region is a fips pseudo-region`
	`74`	`+func IsFIPS(region string) bool {`
	`75`	`+ return strings.HasPrefix(region, "fips-") \|\|`
	`76`	`+ strings.HasSuffix(region, "-fips")`
`75`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -185,9 +185,10 @@ func (m *processARNResource) HandleSerialize(`
`185`	`185`	`resourceRequest.PartitionID, resourceRequest.RequestRegion, nil)`
`186`	`186`	`}`
`187`	`187`
`188`		`- // check if resource arn region is FIPS`
`189`		`- if resourceRequest.ResourceConfiguredForFIPS() {`
`190`		`- return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)`
	`188`	`+ // check if request region is FIPS`
	`189`	`+ if resourceRequest.UseFips() {`
	`190`	`+ return out, metadata, s3shared.NewFIPSConfigurationError(tv, resourceRequest.PartitionID,`
	`191`	`+ resourceRequest.RequestRegion, nil)`
`191`	`192`	`}`
`192`	`193`
`193`	`194`	`// build outpost access point request`
Original file line number	Diff line number	Diff line change
`@@ -112,8 +112,9 @@ func (m *processARNResource) HandleSerialize(`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`// check if resource arn region is FIPS`
`115`		`- if resourceRequest.ResourceConfiguredForFIPS() {`
`116`		`- return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)`
	`115`	`+ if resourceRequest.UseFips() {`
	`116`	`+ return out, metadata, s3shared.NewFIPSConfigurationError(tv, resourceRequest.PartitionID,`
	`117`	`+ resourceRequest.RequestRegion, nil)`
`117`	`118`	`}`
`118`	`119`
`119`	`120`	`// Disable endpoint host prefix for s3-control`
`@@ -129,11 +130,6 @@ func (m *processARNResource) HandleSerialize(`
`129`	`130`	`return out, metadata, fmt.Errorf("error updating arnable field while serializing")`
`130`	`131`	`}`
`131`	`132`
`132`		`- // check if request region is FIPS and ARN region usage is not allowed`
`133`		`- if resourceRequest.UseFips() && !m.UseARNRegion {`
`134`		`- return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)`
`135`		`- }`
`136`		`-`
`137`	`133`	`// Add outpostID header`
`138`	`134`	`req.Header.Add(outpostIDHeader, tv.OutpostID)`
`139`	`135`
`@@ -158,8 +154,9 @@ func (m *processARNResource) HandleSerialize(`
`158`	`154`	`}`
`159`	`155`
`160`	`156`	`// check if resource arn region is FIPS`
`161`		`- if resourceRequest.ResourceConfiguredForFIPS() {`
`162`		`- return out, metadata, s3shared.NewInvalidARNWithFIPSError(tv, nil)`
	`157`	`+ if resourceRequest.UseFips() {`
	`158`	`+ return out, metadata, s3shared.NewFIPSConfigurationError(tv, resourceRequest.PartitionID,`
	`159`	`+ resourceRequest.RequestRegion, nil)`
`163`	`160`	`}`
`164`	`161`
`165`	`162`	`// Disable endpoint host prefix for s3-control`
`@@ -224,11 +221,6 @@ func validateResourceRequest(resourceRequest s3shared.ResourceRequest) error {`
`224`	`221`	`resourceRequest.PartitionID, resourceRequest.RequestRegion, nil)`
`225`	`222`	`}`
`226`	`223`
`227`		`- // resource configured with FIPS as region is not supported by outposts`
`228`		`- if resourceRequest.ResourceConfiguredForFIPS() {`
`229`		`- return s3shared.NewInvalidARNWithFIPSError(resourceRequest.Resource, nil)`
`230`		`- }`
`231`		`-`
`232`	`224`	`return nil`
`233`	`225`	`}`
`234`	`226`