Provide a new agent config option to let customers switch ADCS/CDCS c…

…lient cr https://code.amazon.com/reviews/CR-24765207
aws · Jul 9, 2020 · d08c706 · d08c706
1 parent cd883c7
commit d08c706
Show file tree

Hide file tree

Showing 10 changed files with 411 additions and 9 deletions.
diff --git a/Gemfile b/Gemfile
@@ -10,7 +10,7 @@ gem "codedeploy-commands", "1.0.0", :path => "#{File.expand_path(__FILE__)}/../v
 
 group :test do
   gem 'test-unit'
-  gem 'activesupport', :require => 'active_support'  
+  gem 'activesupport', :require => 'active_support'
   gem 'coveralls', require: false
   gem 'cucumber'
   gem 'fakefs', :require => 'fakefs/safe'

diff --git a/lib/instance_agent/config.rb b/lib/instance_agent/config.rb
@@ -43,7 +43,8 @@ def initialize
         :enable_deployments_log => true,
         :use_fips_mode => false,
         :deploy_control_endpoint => nil,
-        :s3_endpoint_override => nil
+        :s3_endpoint_override => nil,
+        :enable_auth_policy => false
       })
     end
 

diff --git a/lib/instance_agent/plugins/codedeploy/codedeploy_control.rb b/lib/instance_agent/plugins/codedeploy/codedeploy_control.rb
@@ -47,6 +47,7 @@ def ssl_verify_peer
 
         def verify_cert_fields
           deploy_control_endpoint = get_client.config.endpoint
+          InstanceAgent::Log.debug("Current deploy control endpoint: #{deploy_control_endpoint}")
           begin
             cert_verifier = InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControlCertVerifier.new(deploy_control_endpoint)
             cert_verifier.verify_cert

diff --git a/lib/instance_agent/plugins/codedeploy/command_poller.rb b/lib/instance_agent/plugins/codedeploy/command_poller.rb
@@ -40,6 +40,7 @@ def initialize
 
           log(:debug, "Configuring deploy control client: Region=#{region.inspect}")
           log(:debug, "Deploy control endpoint override=#{InstanceAgent::Config.config[:deploy_control_endpoint]}")
+          log(:debug, "Enable auth policy = #{InstanceAgent::Config.config[:enable_auth_policy]}")
 
           @deploy_control = InstanceAgent::Plugins::CodeDeployPlugin::CodeDeployControl.new(:region => region, :logger => InstanceAgent::Log, :ssl_ca_directory => ENV['AWS_SSL_CA_DIRECTORY'])
           @deploy_control_client = @deploy_control.get_client

diff --git a/test/instance_agent/config_test.rb b/test/instance_agent/config_test.rb
@@ -34,7 +34,8 @@ class InstanceAgentConfigTest < InstanceAgentTestCase
         :kill_agent_max_wait_time_seconds => 7200,
         :use_fips_mode => false,
         :deploy_control_endpoint => nil,
-        :s3_endpoint_override => nil
+        :s3_endpoint_override => nil,
+        :enable_auth_policy => false
       }, InstanceAgent::Config.config)
     end
 

diff --git a/test/instance_agent/plugins/codedeploy/codedeploy_control_test.rb b/test/instance_agent/plugins/codedeploy/codedeploy_control_test.rb
@@ -83,6 +83,29 @@ class CodeDeployControlTest < InstanceAgentTestCase
             assert_equal "codedeploy-commands-fips.us-west-2.amazonaws.com", codedeploy_control_client.get_client.config.endpoint.host
         end
       end
+
+      context "with enable_auth_policy set" do
+        setup do
+          InstanceAgent::Config.config[:enable_auth_policy] = true
+        end
+
+        should "use secure endpoint" do
+          codedeploy_control_client = CodeDeployControl.new :region => "us-west-2"
+          assert_equal "codedeploy-commands-secure.us-west-2.amazonaws.com", codedeploy_control_client.get_client.config.endpoint.host
+        end
+      end
+
+      context "with both of use_fips_mode and enable_auth_policy set" do
+        setup do
+          InstanceAgent::Config.config[:use_fips_mode] = true
+          InstanceAgent::Config.config[:enable_auth_policy] = true
+        end
+
+        should "use secure Fips endpoint" do
+          codedeploy_control_client = CodeDeployControl.new :region => "us-west-2"
+          assert_equal "codedeploy-commands-secure-fips.us-west-2.amazonaws.com", codedeploy_control_client.get_client.config.endpoint.host
+        end
+      end
 
     end
   end

diff --git a/vendor/gems/codedeploy-commands-1.0.0/apis/CodeDeployCommand.api.json b/vendor/gems/codedeploy-commands-1.0.0/apis/CodeDeployCommand.api.json
@@ -4,10 +4,6 @@
     "apiVersion": "2014-10-06",
     "endpointPrefix": "codedeploy-commands",
     "jsonVersion": "1.1",
-    "regionalEndpoints": {
-      "us-east-1": "codedeploy-commands.us-east-1.amazonaws.com",
-      "us-west-2": "codedeploy-commands.us-west-2.amazonaws.com"
-    },
     "serviceAbbreviation": "CodeDeployCommand",
     "serviceFullName": "AWS CodeDeploy Command Service",
     "signatureVersion": "v4",