S3 ARN support for FIPS and global regions.

Author: wps132230

aws-cpp-sdk-core/include/aws/core/Region.h

@@ -47,6 +47,9 @@ namespace Aws
 
  // If a pseudo region, for example, aws-global or us-east-1-fips is provided, it should be converted to the region name used for signing.
  Aws::String AWS_CORE_API ComputeSignerRegion(const Aws::String& region);
+
+ // A FIPs region starts with "fips-" or ends with "-fips".
+ bool AWS_CORE_API IsFipsRegion(const Aws::String& region);
  }
 
 } // namespace Aws

aws-cpp-sdk-core/source/Region.cpp

@@ -36,5 +36,18 @@ namespace Aws
  return region;
  }
  }
+
+ bool IsFipsRegion(const Aws::String& region)
+ {
+ if (region.size() >= 5 && region.compare(0, 5, "fips-") == 0)
+ {
+ return true;
+ }
+ else if (region.size() >= 5 && region.compare(region.size() - 5, 5, "-fips") == 0)
+ {
+ return true;
+ }
+ return false;
+ }
  }
 }

aws-cpp-sdk-s3-crt-integration-tests/BucketAndObjectOperationTest.cpp

@@ -24,17 +24,23 @@ namespace Aws
  // Take pseudo region into consideration here.
  Aws::String region = clientRegion ? clientRegion : "";
  Aws::StringStream ss;
- if (this->GetResourceType() == ARNResourceType::OUTPOST && region.find("fips") != Aws::String::npos)
+ if (this->GetResourceType() == ARNResourceType::OUTPOST && Aws::Region::IsFipsRegion(region))
  {
  ss.str("");
  ss << "Outposts ARN do not support fips regions right now.";
  return S3ARNOutcome(Aws::Client::AWSError<S3Errors>(S3Errors::VALIDATION, "VALIDATION", ss.str(), false));
  }
- else if (this->GetRegion() != Aws::Region::ComputeSignerRegion(clientRegion))
+ else if (region == Aws::Region::AWS_GLOBAL || region == "s3-external-1")
+ {
+ ss.str("");
+ ss << "Region: \"" << region << "\" is not a regional endpoint.";
+ return S3ARNOutcome(Aws::Client::AWSError<S3Errors>(S3Errors::VALIDATION, "VALIDATION", ss.str(), false));
+ }
+ else if (this->GetRegion() != Aws::Region::ComputeSignerRegion(region))
  {
  ss.str("");
  ss << "Region mismatch between \"" << this->GetRegion() << "\" defined in ARN and \""
- << clientRegion << "\" defined in client configuration. "
+ << region << "\" defined in client configuration. "
  << "You can specify AWS_S3_USE_ARN_REGION to ignore region defined in client configuration.";
  return S3ARNOutcome(Aws::Client::AWSError<S3Errors>(S3Errors::VALIDATION, "VALIDATION", ss.str(), false));
  }
@@ -115,7 +121,7 @@ namespace Aws
  // Validation on Outposts ARN:
  else if (this->GetResourceType() == ARNResourceType::OUTPOST)
  {
- if (this->GetRegion().find("fips") != Aws::String::npos)
+ if (Aws::Region::IsFipsRegion(this->GetRegion()))
  {
  ss.str("");
  ss << "Outposts ARN do not support fips regions right now.";

aws-cpp-sdk-s3-integration-tests/BucketAndObjectOperationTest.cpp

@@ -4089,7 +4089,8 @@ ComputeEndpointOutcome S3Client::ComputeEndpointString(const Aws::String& bucket
  "Path style addressing is not compatible with Access Point ARN or Outposts ARN in Bucket field, please consider using virtual addressing for this client instead.", false));
  }
 
- S3ARNOutcome s3ArnOutcome = m_useArnRegion ? arn.Validate() : arn.Validate(m_region.c_str());
+ bool useClientRegion = !m_useArnRegion || Aws::Region::IsFipsRegion(m_region);
+ S3ARNOutcome s3ArnOutcome = useClientRegion ? arn.Validate(m_region.c_str()) : arn.Validate();
  if (!s3ArnOutcome.IsSuccess())
  {
  return ComputeEndpointOutcome(s3ArnOutcome.GetError());
@@ -4102,12 +4103,12 @@ ComputeEndpointOutcome S3Client::ComputeEndpointString(const Aws::String& bucket
  return ComputeEndpointOutcome(Aws::Client::AWSError<S3Errors>(S3Errors::VALIDATION, "VALIDATION",
  "S3 Object Lambda Access Point ARNs do not support dualstack right now.", false));
  }
- ss << S3Endpoint::ForObjectLambdaAccessPointArn(arn, m_useArnRegion ? "" : m_region, m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
+ ss << S3Endpoint::ForObjectLambdaAccessPointArn(arn, useClientRegion ? m_region : "", m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
  return ComputeEndpointOutcome(ComputeEndpointResult(ss.str(), signerRegion, ARNService::S3_OBJECT_LAMBDA));
  }
  else if (arn.GetResourceType() == ARNResourceType::ACCESSPOINT)
  {
- ss << S3Endpoint::ForAccessPointArn(arn, m_useArnRegion ? "" : m_region, m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
+ ss << S3Endpoint::ForAccessPointArn(arn, useClientRegion ? m_region : "", m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
  return ComputeEndpointOutcome(ComputeEndpointResult(ss.str(), signerRegion, SERVICE_NAME));
  }
  else if (arn.GetResourceType() == ARNResourceType::OUTPOST)
@@ -4117,7 +4118,7 @@ ComputeEndpointOutcome S3Client::ComputeEndpointString(const Aws::String& bucket
  return ComputeEndpointOutcome(Aws::Client::AWSError<S3Errors>(S3Errors::VALIDATION, "VALIDATION",
  "Outposts Access Points do not support dualstack right now.", false));
  }
- ss << S3Endpoint::ForOutpostsArn(arn, m_useArnRegion ? "" : m_region, m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
+ ss << S3Endpoint::ForOutpostsArn(arn, useClientRegion ? m_region : "", m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
  return ComputeEndpointOutcome(ComputeEndpointResult(ss.str(), signerRegion, "s3-outposts"));
  }
  }

aws-cpp-sdk-s3/source/S3ARN.cpp

@@ -39,15 +39,13 @@ namespace S3Endpoint
  }
 
  const Aws::String& region = regionNameOverride.empty() ? arn.GetRegion() : regionNameOverride;
- auto hash = Aws::Utils::HashingUtils::HashString(region.c_str());
+ Aws::String fipsSuffix = Aws::Region::IsFipsRegion(region) ? "-fips" : "";
+ Aws::String dualstackSuffix = useDualStack ? "dualstack." : "";
 
- ss << arn.GetResourceId() << "-" << arn.GetAccountId() << ".s3-accesspoint.";
- if (useDualStack)
- {
- ss << "dualstack.";
- }
- ss << region << "." << "amazonaws.com";
+ ss << arn.GetResourceId() << "-" << arn.GetAccountId() << ".s3-accesspoint" << fipsSuffix << "."
+ << dualstackSuffix << Aws::Region::ComputeSignerRegion(region) << "." << "amazonaws.com";
 
+ auto hash = Aws::Utils::HashingUtils::HashString(region.c_str());
  if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH)
  {
  ss << ".cn";
@@ -60,6 +58,7 @@ namespace S3Endpoint
  {
  AWS_UNREFERENCED_PARAM(useDualStack);
  assert(!useDualStack);
+ assert(!Aws::Region::IsFipsRegion(regionNameOverride));
  Aws::StringStream ss;
 
  if (!endpointOverride.empty())
@@ -93,20 +92,11 @@ namespace S3Endpoint
  return ss.str();
  }
 
- Aws::String region = regionNameOverride.empty() ? arn.GetRegion() : regionNameOverride;
- Aws::String fipsSuffix = "";
- if (region.size() >= 5 && region.compare(0, 5, "fips-") == 0)
- {
- region = region.substr(5);
- fipsSuffix = "-fips";
- }
- else if (region.size() >= 5 && region.compare(region.size() - 5, 5, "-fips") == 0)
- {
- region = region.substr(0, region.size() - 5);
- fipsSuffix = "-fips";
- }
+ const Aws::String& region = regionNameOverride.empty() ? arn.GetRegion() : regionNameOverride;
+ Aws::String fipsSuffix = Aws::Region::IsFipsRegion(region) ? "-fips" : "";
 
- ss << arn.GetResourceId() << "-" << arn.GetAccountId() << "." << ARNService::S3_OBJECT_LAMBDA << fipsSuffix << "." << region << "." << "amazonaws.com";
+ ss << arn.GetResourceId() << "-" << arn.GetAccountId() << "." << ARNService::S3_OBJECT_LAMBDA << fipsSuffix << "."
+ << Aws::Region::ComputeSignerRegion(region) << "." << "amazonaws.com";
 
  auto hash = Aws::Utils::HashingUtils::HashString(region.c_str());
  if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH)
@@ -125,26 +115,10 @@ namespace S3Endpoint
  {
  assert(!useDualStack);
 
+ Aws::String fipsSuffix = Aws::Region::IsFipsRegion(regionName) ? "-fips" : "";
  Aws::StringStream ss;
- ss << serviceName;
+ ss << serviceName << fipsSuffix << "." << Aws::Region::ComputeSignerRegion(regionName) << ".amazonaws.com";
 
- if (regionName.size() >= 5 && regionName.compare(0, 5, "fips-") == 0)
- {
- ss << "-fips." << regionName.substr(5);
- }
- else if (regionName.size() >= 5 && regionName.compare(regionName.size() - 5, 5, "-fips") == 0)
- {
- ss << "-fips." << regionName.substr(0, regionName.size() - 5);
- }
- else if (hash == AWS_GLOBAL_HASH || hash == S3_EXTERNAL_1_HASH)
- {
- ss << "." << Aws::Region::US_EAST_1;
- }
- else
- {
- ss << "." << regionName;
- }
- ss << ".amazonaws.com";
  if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH)
  {
  ss << ".cn";

aws-cpp-sdk-s3/source/S3Client.cpp

@@ -27,17 +27,23 @@ namespace ${rootNamespace}
  // Take pseudo region into consideration here.
  Aws::String region = clientRegion ? clientRegion : "";
  Aws::StringStream ss;
- if (this->GetResourceType() == ARNResourceType::OUTPOST && region.find("fips") != Aws::String::npos)
+ if (this->GetResourceType() == ARNResourceType::OUTPOST && Aws::Region::IsFipsRegion(region))
  {
  ss.str("");
  ss << "Outposts ARN do not support fips regions right now.";
  return ${validateOutcome}(Aws::Client::AWSError<${serviceError}>(${serviceError}::VALIDATION, "VALIDATION", ss.str(), false));
  }
- else if (this->GetRegion() != Aws::Region::ComputeSignerRegion(clientRegion))
+ else if (region == Aws::Region::AWS_GLOBAL || region == "s3-external-1")
+ {
+ ss.str("");
+ ss << "Region: \"" << region << "\" is not a regional endpoint.";
+ return ${validateOutcome}(Aws::Client::AWSError<${serviceError}>(${serviceError}::VALIDATION, "VALIDATION", ss.str(), false));
+ }
+ else if (this->GetRegion() != Aws::Region::ComputeSignerRegion(region))
  {
  ss.str("");
  ss << "Region mismatch between \"" << this->GetRegion() << "\" defined in ARN and \""
- << clientRegion << "\" defined in client configuration. "
+ << region << "\" defined in client configuration. "
  << "You can specify AWS_S3_USE_ARN_REGION to ignore region defined in client configuration.";
  return ${validateOutcome}(Aws::Client::AWSError<${serviceError}>(${serviceError}::VALIDATION, "VALIDATION", ss.str(), false));
  }
@@ -118,7 +124,7 @@ namespace ${rootNamespace}
  // Validation on Outposts ARN:
  else if (this->GetResourceType() == ARNResourceType::OUTPOST)
  {
- if (this->GetRegion().find("fips") != Aws::String::npos)
+ if (Aws::Region::IsFipsRegion(this->GetRegion()))
  {
  ss.str("");
  ss << "Outposts ARN do not support fips regions right now.";

aws-cpp-sdk-s3/source/S3Endpoint.cpp

@@ -209,7 +209,8 @@ ComputeEndpointOutcome ${className}::ComputeEndpointString(const Aws::String& bu
  "Path style addressing is not compatible with Access Point ARN or Outposts ARN in Bucket field, please consider using virtual addressing for this client instead.", false));
  }
 
- ${metadata.classNamePrefix}ARNOutcome s3ArnOutcome = m_useArnRegion ? arn.Validate() : arn.Validate(m_region.c_str());
+ bool useClientRegion = !m_useArnRegion || Aws::Region::IsFipsRegion(m_region);
+ ${metadata.classNamePrefix}ARNOutcome s3ArnOutcome = useClientRegion ? arn.Validate(m_region.c_str()) : arn.Validate();
  if (!s3ArnOutcome.IsSuccess())
  {
  return ComputeEndpointOutcome(s3ArnOutcome.GetError());
@@ -222,12 +223,12 @@ ComputeEndpointOutcome ${className}::ComputeEndpointString(const Aws::String& bu
  return ComputeEndpointOutcome(Aws::Client::AWSError<${metadata.classNamePrefix}Errors>(${metadata.classNamePrefix}Errors::VALIDATION, "VALIDATION",
  "S3 Object Lambda Access Point ARNs do not support dualstack right now.", false));
  }
- ss << ${metadata.classNamePrefix}Endpoint::ForObjectLambdaAccessPointArn(arn, m_useArnRegion ? "" : m_region, m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
+ ss << ${metadata.classNamePrefix}Endpoint::ForObjectLambdaAccessPointArn(arn, useClientRegion ? m_region : "", m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
  return ComputeEndpointOutcome(ComputeEndpointResult(ss.str(), signerRegion, ARNService::S3_OBJECT_LAMBDA));
  }
  else if (arn.GetResourceType() == ARNResourceType::ACCESSPOINT)
  {
- ss << ${metadata.classNamePrefix}Endpoint::ForAccessPointArn(arn, m_useArnRegion ? "" : m_region, m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
+ ss << ${metadata.classNamePrefix}Endpoint::ForAccessPointArn(arn, useClientRegion ? m_region : "", m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
  return ComputeEndpointOutcome(ComputeEndpointResult(ss.str(), signerRegion, SERVICE_NAME));
  }
  else if (arn.GetResourceType() == ARNResourceType::OUTPOST)
@@ -237,7 +238,7 @@ ComputeEndpointOutcome ${className}::ComputeEndpointString(const Aws::String& bu
  return ComputeEndpointOutcome(Aws::Client::AWSError<${metadata.classNamePrefix}Errors>(${metadata.classNamePrefix}Errors::VALIDATION, "VALIDATION",
  "Outposts Access Points do not support dualstack right now.", false));
  }
- ss << ${metadata.classNamePrefix}Endpoint::ForOutpostsArn(arn, m_useArnRegion ? "" : m_region, m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
+ ss << ${metadata.classNamePrefix}Endpoint::ForOutpostsArn(arn, useClientRegion ? m_region : "", m_useDualStack, m_useCustomEndpoint ? m_baseUri : "");
  return ComputeEndpointOutcome(ComputeEndpointResult(ss.str(), signerRegion, "s3-outposts"));
  }
  }

code-generation/generator/src/main/resources/com/amazonaws/util/awsclientgenerator/velocity/cpp/s3/S3ARNSource.vm

@@ -40,15 +40,13 @@ namespace ${metadata.classNamePrefix}Endpoint
  }
 
  const Aws::String& region = regionNameOverride.empty() ? arn.GetRegion() : regionNameOverride;
- auto hash = Aws::Utils::HashingUtils::HashString(region.c_str());
+ Aws::String fipsSuffix = Aws::Region::IsFipsRegion(region) ? "-fips" : "";
+ Aws::String dualstackSuffix = useDualStack ? "dualstack." : "";
 
- ss << arn.GetResourceId() << "-" << arn.GetAccountId() << ".s3-accesspoint.";
- if (useDualStack)
- {
- ss << "dualstack.";
- }
- ss << region << "." << "amazonaws.com";
+ ss << arn.GetResourceId() << "-" << arn.GetAccountId() << ".s3-accesspoint" << fipsSuffix << "."
+ << dualstackSuffix << Aws::Region::ComputeSignerRegion(region) << "." << "amazonaws.com";
 
+ auto hash = Aws::Utils::HashingUtils::HashString(region.c_str());
  if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH)
  {
  ss << ".cn";
@@ -61,6 +59,7 @@ namespace ${metadata.classNamePrefix}Endpoint
  {
  AWS_UNREFERENCED_PARAM(useDualStack);
  assert(!useDualStack);
+ assert(!Aws::Region::IsFipsRegion(regionNameOverride));
  Aws::StringStream ss;
 
  if (!endpointOverride.empty())
@@ -94,20 +93,11 @@ namespace ${metadata.classNamePrefix}Endpoint
  return ss.str();
  }
 
- Aws::String region = regionNameOverride.empty() ? arn.GetRegion() : regionNameOverride;
- Aws::String fipsSuffix = "";
- if (region.size() >= 5 && region.compare(0, 5, "fips-") == 0)
- {
- region = region.substr(5);
- fipsSuffix = "-fips";
- }
- else if (region.size() >= 5 && region.compare(region.size() - 5, 5, "-fips") == 0)
- {
- region = region.substr(0, region.size() - 5);
- fipsSuffix = "-fips";
- }
+ const Aws::String& region = regionNameOverride.empty() ? arn.GetRegion() : regionNameOverride;
+ Aws::String fipsSuffix = Aws::Region::IsFipsRegion(region) ? "-fips" : "";
 
- ss << arn.GetResourceId() << "-" << arn.GetAccountId() << "." << ARNService::S3_OBJECT_LAMBDA << fipsSuffix << "." << region << "." << "amazonaws.com";
+ ss << arn.GetResourceId() << "-" << arn.GetAccountId() << "." << ARNService::S3_OBJECT_LAMBDA << fipsSuffix << "."
+ << Aws::Region::ComputeSignerRegion(region) << "." << "amazonaws.com";
 
  auto hash = Aws::Utils::HashingUtils::HashString(region.c_str());
  if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH)
@@ -126,26 +116,10 @@ namespace ${metadata.classNamePrefix}Endpoint
  {
  assert(!useDualStack);
 
+ Aws::String fipsSuffix = Aws::Region::IsFipsRegion(regionName) ? "-fips" : "";
  Aws::StringStream ss;
- ss << serviceName;
+ ss << serviceName << fipsSuffix << "." << Aws::Region::ComputeSignerRegion(regionName) << ".amazonaws.com";
 
- if (regionName.size() >= 5 && regionName.compare(0, 5, "fips-") == 0)
- {
- ss << "-fips." << regionName.substr(5);
- }
- else if (regionName.size() >= 5 && regionName.compare(regionName.size() - 5, 5, "-fips") == 0)
- {
- ss << "-fips." << regionName.substr(0, regionName.size() - 5);
- }
- else if (hash == AWS_GLOBAL_HASH || hash == S3_EXTERNAL_1_HASH)
- {
- ss << "." << Aws::Region::US_EAST_1;
- }
- else
- {
- ss << "." << regionName;
- }
- ss << ".amazonaws.com";
  if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH)
  {
  ss << ".cn";