deprecate ssl common name

awscli/clidriver.py

@@ -484,7 +484,7 @@ def __call__(self, args, parsed_globals):
         event = 'before-building-argument-table-parser.%s.%s' % \
             (self._parent_name, self._name)
         self._emit(event, argument_table=self.arg_table, args=args,
-                   session=self._session)
+                   session=self._session, parsed_globals=parsed_globals)
         operation_parser = self._create_operation_parser(self.arg_table)
         self._add_help(operation_parser)
         parsed_args, remaining = operation_parser.parse_known_args(args)

awscli/customizations/commands.py

@@ -134,7 +134,7 @@ def __call__(self, args, parsed_globals):
         event = 'before-building-argument-table-parser.%s' % \
             ".".join(self.lineage_names)
         self._session.emit(event, argument_table=self._arg_table, args=args,
-                           session=self._session)
+                           session=self._session, parsed_globals=parsed_globals)
         parser = ArgTableArgParser(self.arg_table, self.subcommand_table)
         parsed_args, remaining = parser.parse_known_args(args)
 

awscli/customizations/overridesslcommonname.py

@@ -0,0 +1,93 @@
+# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+import os
+
+DEFAULT_DNS_SUFFIX = 'amazonaws.com'
+CHINA_DNS_SUFFIX = 'amazonaws.com.cn'
+GOV_DNS_SUFFIX = 'sc2s.sgov.gov'
+
+common_regions = [
+    "af-south-1",
+    "ap-east-1",
+    "ap-northeast-1",
+    "ap-northeast-2",
+    "ap-northeast-3",
+    "ap-south-1",
+    "ap-southeast-1",
+    "ap-southeast-2",
+    "ap-southeast-3",
+    "ca-central-1",
+    "eu-north-1",
+    "eu-south-1",
+    "eu-west-1",
+    "eu-west-2",
+    "eu-west-3",
+    "fips-us-east-1",
+    "fips-us-east-2",
+    "fips-us-west-1",
+    "fips-us-west-2",
+    "me-south-1",
+    "sa-east-1",
+    "us-east-2",
+    "us-west-1",
+    "us-west-2",
+]
+
+common_regions_with_dns_suffix = {
+    region: DEFAULT_DNS_SUFFIX for region in common_regions
+}
+
+sslCommonNameServiceRegions = {
+    "sqs": {
+        "us-east-1": DEFAULT_DNS_SUFFIX,
+        "eu-central-1": DEFAULT_DNS_SUFFIX,
+        "cn-north-1": CHINA_DNS_SUFFIX,
+        "cn-northwest-1": CHINA_DNS_SUFFIX,
+        "us-gov-west-1": DEFAULT_DNS_SUFFIX,
+        "us-isob-east-1": GOV_DNS_SUFFIX,
+        **common_regions_with_dns_suffix,
+    },
+    "emr": {
+        "fips-ca-central-1": DEFAULT_DNS_SUFFIX,
+        **common_regions_with_dns_suffix,
+    }
+}
+
+
+def register_override_ssl_common_name(cli):
+    cli.register_last(
+        'before-building-argument-table-parser',
+        update_endpoint_url
+    )
+
+def update_endpoint_url(session, parsed_globals, **kwargs):
+    service = parsed_globals.command
+    service_regions = sslCommonNameServiceRegions.get(service)
+    # only change url if user has not overrided already themselves
+    if (
+        service_regions is not None
+        and parsed_globals.endpoint_url is None
+    ):
+        region = parsed_globals.region
+        # only resolve region if user has not provided it in the command
+        if region is None:
+            region = (
+                session.get_config_variable('region')
+                or os.environ.get('AWS_DEFAULT_REGION')
+            )
+        dnsSuffix = service_regions.get(region)
+        if dnsSuffix is not None:
+            service_data = session.get_service_data(service)
+            endpointPrefix = service_data['metadata']['endpointPrefix']
+            parsed_globals.endpoint_url = f"https://{endpointPrefix}.{region}.{dnsSuffix}"

awscli/handlers.py

@@ -91,6 +91,7 @@
 from awscli.customizations.sessionmanager import register_ssm_session
 from awscli.customizations.sms_voice import register_sms_voice_hide
 from awscli.customizations.dynamodb import register_dynamodb_paginator_fix
+from awscli.customizations.overridesslcommonname import register_override_ssl_common_name
 
 
 def awscli_initialize(event_handlers):
@@ -183,3 +184,4 @@ def awscli_initialize(event_handlers):
     register_ssm_session(event_handlers)
     register_sms_voice_hide(event_handlers)
     register_dynamodb_paginator_fix(event_handlers)
+    register_override_ssl_common_name(event_handlers)

tests/unit/customizations/test_overridesslcommonname.py

@@ -0,0 +1,74 @@
+# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+from awscli.testutils import mock, unittest
+from awscli.testutils import BaseAWSCommandParamsTest
+from awscli.customizations.overridesslcommonname import update_endpoint_url
+
+
+class TestOverrideSslCommonName(BaseAWSCommandParamsTest):
+    prefix = 'sqs list-queues'
+
+    def setUp(self):
+        super().setUp()
+        self.parsed_globals = mock.Mock()
+        self.parsed_globals.endpoint_url = None
+        self.parsed_globals.region = None
+        self.parsed_globals.command = 'sqs'
+
+    def test_update_endpoint_url(self):
+        update_endpoint_url(self.driver.session, self.parsed_globals)
+        self.assertEqual(
+            self.parsed_globals.endpoint_url,
+            'https://sqs.us-east-1.amazonaws.com'
+        )
+
+    def test_dont_modify_provided_region_url(self):
+        self.parsed_globals.endpoint_url = 'https://test.com'
+        self.parsed_globals.region = 'us-west-1'
+        update_endpoint_url(self.driver.session, self.parsed_globals)
+        self.assertEqual(self.parsed_globals.endpoint_url, 'https://test.com')
+        self.assertEqual(self.parsed_globals.region, 'us-west-1')
+
+    def test_other_dns_suffixes(self):
+        self.parsed_globals.region = 'cn-north-1'
+        update_endpoint_url(self.driver.session, self.parsed_globals)
+        self.assertEqual(self.parsed_globals.endpoint_url, 'https://sqs.cn-north-1.amazonaws.com.cn')
+
+        self.parsed_globals.endpoint_url = None
+        self.parsed_globals.region = 'us-isob-east-1'
+        update_endpoint_url(self.driver.session, self.parsed_globals)
+        self.assertEqual(self.parsed_globals.endpoint_url, 'https://sqs.us-isob-east-1.sc2s.sgov.gov')
+
+    def test_url_modified_from_event(self):
+        self.driver.session.emit(
+            'before-building-argument-table-parser.sqs',
+            args=[],
+            session=self.driver.session,
+            argument_table=mock.Mock(),
+            parsed_globals=self.parsed_globals
+        )
+        self.assertEqual(
+            self.parsed_globals.endpoint_url,
+            'https://sqs.us-east-1.amazonaws.com'
+        )
+
+    @mock.patch('awscli.clidriver.CLIOperationCaller.invoke', return_value=0)
+    def test_set_endpoint_url_arg(self, invoke):
+        self.run_cmd(self.prefix.split())
+        call_args = invoke.call_args[0]
+        self.assertEqual(call_args[0], 'sqs')
+        self.assertEqual(call_args[1], 'ListQueues')
+        self.assertEqual(call_args[3].endpoint_url, 'https://sqs.us-east-1.amazonaws.com')
+
+if __name__ == "__main__":
+    unittest.main()