gravitational · alistanis · Jun 23, 2022 · Jun 21, 2022 · Jun 22, 2022 · Jun 23, 2022
diff --git a/api/types/audit.go b/api/types/audit.go
@@ -52,6 +52,11 @@ type ClusterAuditConfig interface {
 	// SetAuditEventsURIs sets the audit events URIs.
 	SetAuditEventsURIs([]string)
 
+	// SetUseFIPSEndpoint sets the FIPS endpoint state for S3/Dynamo backends.
+	SetUseFIPSEndpoint(state ClusterAuditConfigSpecV2_FIPSEndpointState)
+	// GetUseFIPSEndpoint gets the current FIPS endpoint setting
+	GetUseFIPSEndpoint() ClusterAuditConfigSpecV2_FIPSEndpointState
+
 	// EnableContinuousBackups is used to enable (or disable) PITR (Point-In-Time Recovery).
 	EnableContinuousBackups() bool
 	// EnableAutoScaling is used to enable (or disable) auto scaling policy.
@@ -190,6 +195,16 @@ func (c *ClusterAuditConfigV2) SetAuditEventsURIs(uris []string) {
 	c.Spec.AuditEventsURI = uris
 }
 
+// SetUseFIPSEndpoint sets the FIPS endpoint state for S3/Dynamo backends.
+func (c *ClusterAuditConfigV2) SetUseFIPSEndpoint(state ClusterAuditConfigSpecV2_FIPSEndpointState) {
+	c.Spec.UseFIPSEndpoint = state
+}
+
+// GetUseFIPSEndpoint gets the current FIPS endpoint setting
+func (c *ClusterAuditConfigV2) GetUseFIPSEndpoint() ClusterAuditConfigSpecV2_FIPSEndpointState {
+	return c.Spec.UseFIPSEndpoint
+}
+
 // EnableContinuousBackups is used to enable (or disable) PITR (Point-In-Time Recovery).
 func (c *ClusterAuditConfigV2) EnableContinuousBackups() bool {
 	return c.Spec.EnableContinuousBackups

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/api/types/types.proto b/api/types/types.proto
@@ -931,6 +931,19 @@ message ClusterAuditConfigSpecV2 {
         (gogoproto.casttype) = "Duration",
         (gogoproto.nullable) = true
     ];
+
+    // FIPSEndpointState represents an AWS FIPS endpoint state.
+    enum FIPSEndpointState {
+        // FIPS_UNSET allows setting FIPS state for AWS S3/Dynamo using configuration files or
+        // environment variables
+        FIPS_UNSET = 0;
+        // FIPS_ENABLED explicitly enables FIPS support for AWS S3/Dynamo
+        FIPS_ENABLED = 1;
+        // FIPS_DISABLED explicitly disables FIPS support for AWS S3/Dynamo
+        FIPS_DISABLED = 2;
+    }
+    // UseFIPSEndpoint configures AWS endpoints to use FIPS.
+    FIPSEndpointState UseFIPSEndpoint = 15 [ (gogoproto.jsontag) = "use_fips_endpoint,omitempty" ];
 }
 
 // ClusterNetworkingConfigV2 contains cluster-wide networking configuration.

diff --git a/lib/events/dynamoevents/dynamoevents.go b/lib/events/dynamoevents/dynamoevents.go
@@ -27,6 +27,7 @@ import (
 	"math"
 	"net/url"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
@@ -109,11 +110,6 @@ type Config struct {
 	// Endpoint is an optional non-AWS endpoint
 	Endpoint string `json:"endpoint,omitempty"`
 
-	// EnableContinuousBackups is used to enable PITR (Point-In-Time Recovery).
-	EnableContinuousBackups bool
-
-	// EnableAutoScaling is used to enable auto scaling policy.
-	EnableAutoScaling bool
 	// ReadMaxCapacity is the maximum provisioned read capacity.
 	ReadMaxCapacity int64
 	// ReadMinCapacity is the minimum provisioned read capacity.
@@ -126,6 +122,19 @@ type Config struct {
 	WriteMinCapacity int64
 	// WriteTargetValue is the ratio of consumed write to provisioned capacity.
 	WriteTargetValue float64
+
+	// UseFIPSEndpoint uses AWS FedRAMP/FIPS 140-2 mode endpoints.
+	// to determine its behavior:
+	// Unset - allows environment variables or AWS config to set the value
+	// Enabled - explicitly enabled
+	// Disabled - explicitly disabled
+	UseFIPSEndpoint types.ClusterAuditConfigSpecV2_FIPSEndpointState
+
+	// EnableContinuousBackups is used to enable PITR (Point-In-Time Recovery).
+	EnableContinuousBackups bool
+
+	// EnableAutoScaling is used to enable auto scaling policy.
+	EnableAutoScaling bool
 }
 
 // SetFromURL sets values on the Config from the supplied URI
@@ -134,6 +143,20 @@ func (cfg *Config) SetFromURL(in *url.URL) error {
 		cfg.Endpoint = endpoint
 	}
 
+	const boolErrorTemplate = "failed to parse URI %q flag %q - %q, supported values are 'true', 'false', or any other" +
+		"supported boolean in https://pkg.go.dev/strconv#ParseBool"
+	if val := in.Query().Get(events.UseFIPSQueryParam); val != "" {
+		useFips, err := strconv.ParseBool(val)
+		if err != nil {
+			return trace.BadParameter(boolErrorTemplate, in.String(), events.UseFIPSQueryParam, val)
+		}
+		if useFips {
+			cfg.UseFIPSEndpoint = types.ClusterAuditConfigSpecV2_FIPS_ENABLED
+		} else {
+			cfg.UseFIPSEndpoint = types.ClusterAuditConfigSpecV2_FIPS_DISABLED
+		}
+	}
+
 	return nil
 }
 
@@ -265,6 +288,9 @@ func New(ctx context.Context, cfg Config, backend backend.Backend) (*Log, error)
 		b.session.Config.Endpoint = aws.String(cfg.Endpoint)
 	}
 
+	// Explicitly enable or disable FIPS endpoints for DynamoDB
+	b.session.Config.UseFIPSEndpoint = events.FIPSProtoStateToAWSState(cfg.UseFIPSEndpoint)
+
 	// create DynamoDB service:
 	b.svc = dynamodb.New(b.session)
 

diff --git a/lib/events/dynamoevents/dynamoevents_test.go b/lib/events/dynamoevents/dynamoevents_test.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"fmt"
 	"math/rand"
+	"net/url"
 	"os"
 	"strconv"
 	"strings"
@@ -281,3 +282,65 @@ func (s *DynamoeventsLargeTableSuite) TestEmitAuditEventForLargeEvents(c *check.
 	err = s.Log.EmitAuditEvent(ctx, appReqEvent)
 	c.Check(trace.Unwrap(err), check.FitsTypeOf, errAWSValidation)
 }
+
+func TestConfig_SetFromURL(t *testing.T) {
+	useFipsCfg := Config{
+		UseFIPSEndpoint: types.ClusterAuditConfigSpecV2_FIPS_ENABLED,
+	}
+	cases := []struct {
+		name         string
+		url          string
+		cfg          Config
+		cfgAssertion func(*testing.T, Config)
+	}{
+		{
+			name: "fips enabled via url",
+			url:  "dynamodb://event_table_name?use_fips_endpoint=true",
+			cfgAssertion: func(t *testing.T, config Config) {
+				require.Equal(t, types.ClusterAuditConfigSpecV2_FIPS_ENABLED, config.UseFIPSEndpoint)
+			},
+		},
+		{
+			name: "fips disabled via url",
+			url:  "dynamodb://event_table_name?use_fips_endpoint=false&endpoint=dynamo.example.com",
+			cfgAssertion: func(t *testing.T, config Config) {
+				require.Equal(t, types.ClusterAuditConfigSpecV2_FIPS_DISABLED, config.UseFIPSEndpoint)
+				require.Equal(t, "dynamo.example.com", config.Endpoint)
+			},
+		},
+		{
+			name: "fips mode not set",
+			url:  "dynamodb://event_table_name",
+			cfgAssertion: func(t *testing.T, config Config) {
+				require.Equal(t, types.ClusterAuditConfigSpecV2_FIPS_UNSET, config.UseFIPSEndpoint)
+			},
+		},
+		{
+			name: "fips mode enabled by default",
+			url:  "dynamodb://event_table_name",
+			cfg:  useFipsCfg,
+			cfgAssertion: func(t *testing.T, config Config) {
+				require.Equal(t, types.ClusterAuditConfigSpecV2_FIPS_ENABLED, config.UseFIPSEndpoint)
+			},
+		},
+		{
+			name: "fips mode can be overridden",
+			url:  "dynamodb://event_table_name?use_fips_endpoint=false",
+			cfg:  useFipsCfg,
+			cfgAssertion: func(t *testing.T, config Config) {
+				require.Equal(t, types.ClusterAuditConfigSpecV2_FIPS_DISABLED, config.UseFIPSEndpoint)
+			},
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+
+			uri, err := url.Parse(tt.url)
+			require.NoError(t, err)
+			require.NoError(t, tt.cfg.SetFromURL(uri))
+
+			tt.cfgAssertion(t, tt.cfg)
+		})
+	}
+}
diff --git a/lib/events/fips.go b/lib/events/fips.go
@@ -0,0 +1,40 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package events
+
+import (
+	"github.com/gravitational/teleport/api/types"
+
+	"github.com/aws/aws-sdk-go/aws/endpoints"
+)
+
+const (
+	// UseFIPSQueryParam is the URL query parameter used for enabling
+	// FIPS endpoints for AWS S3/Dynamo.
+	UseFIPSQueryParam = "use_fips_endpoint"
+)
+
+var (
+	fipsToAWS = map[types.ClusterAuditConfigSpecV2_FIPSEndpointState]endpoints.FIPSEndpointState{
+		types.ClusterAuditConfigSpecV2_FIPS_UNSET:    endpoints.FIPSEndpointStateUnset,
+		types.ClusterAuditConfigSpecV2_FIPS_ENABLED:  endpoints.FIPSEndpointStateEnabled,
+		types.ClusterAuditConfigSpecV2_FIPS_DISABLED: endpoints.FIPSEndpointStateDisabled,
+	}
+)
+
+// FIPSProtoStateToAWSState converts a FIPS proto state to an aws endpoints.FIPSEndpointState
+func FIPSProtoStateToAWSState(state types.ClusterAuditConfigSpecV2_FIPSEndpointState) endpoints.FIPSEndpointState {
+	return fipsToAWS[state]
+}
diff --git a/lib/events/s3sessions/s3handler.go b/lib/events/s3sessions/s3handler.go
@@ -28,6 +28,8 @@ import (
 	"time"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/session"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -65,12 +67,8 @@ type Config struct {
 	Region string
 	// Path is an optional bucket path
 	Path string
-	// Host is an optional third party S3 compatible endpoint
+	// Endpoint is an optional third party S3 compatible endpoint
 	Endpoint string
-	// Insecure is an optional switch to opt out of https connections
-	Insecure bool
-	//DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
-	DisableServerSideEncryption bool
 	// ACL is the canned ACL to send to S3
 	ACL string
 	// Session is an optional existing AWS client session
@@ -79,6 +77,18 @@ type Config struct {
 	Credentials *credentials.Credentials
 	// SSEKMSKey specifies the optional custom CMK used for KMS SSE.
 	SSEKMSKey string
+
+	// UseFIPSEndpoint uses AWS FedRAMP/FIPS 140-2 mode endpoints.
+	// to determine its behavior:
+	// Unset - allows environment variables or AWS config to set the value
+	// Enabled - explicitly enabled
+	// Disabled - explicitly disabled
+	UseFIPSEndpoint types.ClusterAuditConfigSpecV2_FIPSEndpointState
+
+	// Insecure is an optional switch to opt out of https connections
+	Insecure bool
+	//DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
+	DisableServerSideEncryption bool
 }
 
 // SetFromURL sets values on the Config from the supplied URI
@@ -90,17 +100,20 @@ func (s *Config) SetFromURL(in *url.URL, inRegion string) error {
 	if endpoint := in.Query().Get(teleport.Endpoint); endpoint != "" {
 		s.Endpoint = endpoint
 	}
+
+	const boolErrorTemplate = "failed to parse URI %q flag %q - %q, supported values are 'true', 'false', or any other" +
+		"supported boolean in https://pkg.go.dev/strconv#ParseBool"
 	if val := in.Query().Get(teleport.Insecure); val != "" {
 		insecure, err := strconv.ParseBool(val)
 		if err != nil {
-			return trace.BadParameter("failed to parse URI %q flag %q - %q, supported values are 'true' or 'false'", in.String(), teleport.Insecure, val)
+			return trace.BadParameter(boolErrorTemplate, in.String(), teleport.Insecure, val)
 		}
 		s.Insecure = insecure
 	}
 	if val := in.Query().Get(teleport.DisableServerSideEncryption); val != "" {
 		disableServerSideEncryption, err := strconv.ParseBool(val)
 		if err != nil {
-			return trace.BadParameter("failed to parse URI %q flag %q - %q, supported values are 'true' or 'false'", in.String(), teleport.DisableServerSideEncryption, val)
+			return trace.BadParameter(boolErrorTemplate, in.String(), teleport.DisableServerSideEncryption, val)
 		}
 		s.DisableServerSideEncryption = disableServerSideEncryption
 	}
@@ -113,6 +126,19 @@ func (s *Config) SetFromURL(in *url.URL, inRegion string) error {
 	if val := in.Query().Get(teleport.SSEKMSKey); val != "" {
 		s.SSEKMSKey = val
 	}
+
+	if val := in.Query().Get(events.UseFIPSQueryParam); val != "" {
+		useFips, err := strconv.ParseBool(val)
+		if err != nil {
+			return trace.BadParameter(boolErrorTemplate, in.String(), events.UseFIPSQueryParam, val)
+		}
+		if useFips {
+			s.UseFIPSEndpoint = types.ClusterAuditConfigSpecV2_FIPS_ENABLED
+		} else {
+			s.UseFIPSEndpoint = types.ClusterAuditConfigSpecV2_FIPS_DISABLED
+		}
+	}
+
 	s.Region = region
 	s.Bucket = in.Host
 	s.Path = in.Path
@@ -148,6 +174,9 @@ func (s *Config) CheckAndSetDefaults() error {
 		if s.Credentials != nil {
 			sess.Config.Credentials = s.Credentials
 		}
+
+		sess.Config.UseFIPSEndpoint = events.FIPSProtoStateToAWSState(s.UseFIPSEndpoint)
+
 		s.Session = sess
 	}
 	return nil