From 778ad3226404687d444d8feae66ce9d6a45dc1cf Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Mon, 9 Sep 2024 10:30:10 -0700 Subject: [PATCH 1/3] Add support for Http client cert and key to support mTLS --- gems/aws-sdk-core/CHANGELOG.md | 2 ++ .../lib/seahorse/client/net_http/connection_pool.rb | 13 +++++++++++-- .../lib/seahorse/client/plugins/net_http.rb | 9 +++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md index 67f220208fa..824929b3948 100644 --- a/gems/aws-sdk-core/CHANGELOG.md +++ b/gems/aws-sdk-core/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased Changes ------------------ +* Issue - Add support for Http client cert and key to support mTLS. + 3.203.0 (2024-09-03) ------------------ diff --git a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb index a777b561817..2419d3ce09f 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb @@ -34,7 +34,9 @@ class ConnectionPool ssl_ca_bundle: nil, ssl_ca_directory: nil, ssl_ca_store: nil, - ssl_timeout: nil + ssl_timeout: nil, + http_client_cert: nil, + http_client_key: nil } # @api private @@ -246,7 +248,9 @@ def pool_options options :ssl_ca_bundle => options[:ssl_ca_bundle], :ssl_ca_directory => options[:ssl_ca_directory], :ssl_ca_store => options[:ssl_ca_store], - :ssl_timeout => options[:ssl_timeout] + :ssl_timeout => options[:ssl_timeout], + :http_client_cert => options[:http_client_cert], + :http_client_key => options[:http_client_key] } end @@ -291,6 +295,11 @@ def start_session endpoint http.ca_file = ssl_ca_bundle if ssl_ca_bundle http.ca_path = ssl_ca_directory if ssl_ca_directory http.cert_store = ssl_ca_store if ssl_ca_store + http.cert = http_client_cert if http_client_cert + http.key = http_client_key if http_client_key + + puts "Set stuff" + puts http.cert else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end diff --git a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb index 75b122f9eb7..29e58a3b018 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb @@ -70,6 +70,15 @@ class NetHttp < Plugin resolve_ssl_timeout(cfg) end + option(:http_client_cert, default: nil, doc_type: OpenSSL::X509::Certificate, docstring: <<-DOCS) +Sets a client certificate when creating http connections. + DOCS + + + option(:http_client_key, default: nil, doc_type: OpenSSL::PKey, docstring: <<-DOCS) +Sets a client key when creating http connections. + DOCS + option(:logger) # for backwards compat handler(Client::NetHttp::Handler, step: :send) From 089fa2c35abe9b7df8f575148f7aa10de8a4fced Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Mon, 9 Sep 2024 10:56:30 -0700 Subject: [PATCH 2/3] Remove debugging --- .../lib/seahorse/client/net_http/connection_pool.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb index 2419d3ce09f..73661de1d9e 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb @@ -297,9 +297,6 @@ def start_session endpoint http.cert_store = ssl_ca_store if ssl_ca_store http.cert = http_client_cert if http_client_cert http.key = http_client_key if http_client_key - - puts "Set stuff" - puts http.cert else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end From f828a6fba058f5bf0674dfe7ed8ef845021ca248 Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Mon, 9 Sep 2024 11:37:32 -0700 Subject: [PATCH 3/3] Update names to use ssl prefix --- gems/aws-sdk-core/CHANGELOG.md | 2 +- .../lib/seahorse/client/net_http/connection_pool.rb | 12 ++++++------ .../lib/seahorse/client/plugins/net_http.rb | 4 ++-- .../spec/seahorse/client/plugins/net_http_spec.rb | 8 ++++++++ 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md index 824929b3948..3b8a970d019 100644 --- a/gems/aws-sdk-core/CHANGELOG.md +++ b/gems/aws-sdk-core/CHANGELOG.md @@ -1,7 +1,7 @@ Unreleased Changes ------------------ -* Issue - Add support for Http client cert and key to support mTLS. +* Issue - Add support for `ssl_cert` and `ssl_key` configuration options to support mTLS. 3.203.0 (2024-09-03) ------------------ diff --git a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb index 73661de1d9e..e6285ce8a29 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb @@ -35,8 +35,8 @@ class ConnectionPool ssl_ca_directory: nil, ssl_ca_store: nil, ssl_timeout: nil, - http_client_cert: nil, - http_client_key: nil + ssl_cert: nil, + ssl_key: nil } # @api private @@ -249,8 +249,8 @@ def pool_options options :ssl_ca_directory => options[:ssl_ca_directory], :ssl_ca_store => options[:ssl_ca_store], :ssl_timeout => options[:ssl_timeout], - :http_client_cert => options[:http_client_cert], - :http_client_key => options[:http_client_key] + :ssl_cert => options[:ssl_cert], + :ssl_key => options[:ssl_key] } end @@ -295,8 +295,8 @@ def start_session endpoint http.ca_file = ssl_ca_bundle if ssl_ca_bundle http.ca_path = ssl_ca_directory if ssl_ca_directory http.cert_store = ssl_ca_store if ssl_ca_store - http.cert = http_client_cert if http_client_cert - http.key = http_client_key if http_client_key + http.cert = ssl_cert if ssl_cert + http.key = ssl_key if ssl_key else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end diff --git a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb index 29e58a3b018..7b36300be02 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb @@ -70,12 +70,12 @@ class NetHttp < Plugin resolve_ssl_timeout(cfg) end - option(:http_client_cert, default: nil, doc_type: OpenSSL::X509::Certificate, docstring: <<-DOCS) + option(:ssl_cert, default: nil, doc_type: OpenSSL::X509::Certificate, docstring: <<-DOCS) Sets a client certificate when creating http connections. DOCS - option(:http_client_key, default: nil, doc_type: OpenSSL::PKey, docstring: <<-DOCS) + option(:ssl_key, default: nil, doc_type: OpenSSL::PKey, docstring: <<-DOCS) Sets a client key when creating http connections. DOCS diff --git a/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb b/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb index 9258789e7b0..6ebb5e4a046 100644 --- a/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb +++ b/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb @@ -102,6 +102,14 @@ module Plugins it 'adds a :ssl_ca_store option without default' do expect(config.ssl_ca_store).to eq(nil) end + + it 'adds a :ssl_cert option with no default' do + expect(config.ssl_cert).to eq(nil) + end + + it 'adds a :ssl_key option with no default' do + expect(config.ssl_key).to eq(nil) + end end describe '#add_handlers' do