Deprecate ssl common name #7114
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
from
bcea441 to
c55af97
Compare
dlm6693
commented
Jul 18, 2022
dlm6693
commented
Jul 18, 2022
stealthycoin
suggested changes
Jul 18, 2022
nateprewitt
requested changes
Jul 19, 2022
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
from
c55af97 to
d0e5dc2
Compare
Codecov Report
@@ Coverage Diff @@
## develop #7114 +/- ##
========================================
Coverage 92.88% 92.89%
========================================
Files 204 205 +1
Lines 16351 16374 +23
========================================
+ Hits 15188 15211 +23
Misses 1163 1163
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
nateprewitt
requested changes
Jul 19, 2022
tests/integration/customizations/test_override_ssl_common_name.py
Outdated
Show resolved
Hide resolved
dlm6693
commented
Jul 20, 2022
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
2 times, most recently
from
1b54127 to
f0c9e33
Compare
kyleknap
reviewed
Aug 4, 2022
| @@ -134,7 +134,7 @@ def __call__(self, args, parsed_globals): | |||
| event = 'before-building-argument-table-parser.%s' % \ | |||
| ".".join(self.lineage_names) | |||
| self._session.emit(event, argument_table=self._arg_table, args=args, | |||
| session=self._session) | |||
There was a problem hiding this comment.
Could you elaborate on the raitonale on why before-building-argument-table-parser was chosen for this handler? I think the main concerns right now are:
- We are adding a new keyword argument (
parsed_globals) to the event. As a rule of thumb, new arguments are added if they make sense and are needed. - It is possible that this event can be emitted twice. I was seeing this with the
aws rds wait db-cluster-availablecommand. Fortunately it looks like the handler is idempotent but it would be nice if we did not have to rely on that. - The purpose of the
before-building-argument-table-parseris for updating the argument table prior to parsing and I'm not sure it logically fits with setting values on the parsed globals.
I have not come up with a good alternative yet, but I just wanted to put some initial thoughts down.
There was a problem hiding this comment.
I know we had originally agreed upon building-command-table, but upon diving into the code, this seemed by far to be the less invasive approach. I do see now that it runs twice, once for the service and then for the operation, which is definitely behavior that should be avoided even if the handler is idempotent.
The trouble is figuring out a clean implementation of passing parsed_globals to that event. The ServiceOperation object only gets that variable when its invoked in a ServiceCommand object's __call__ method, which is after building-command-table has run. I think its definitely doable, but would require a larger refactor, which I wanted to avoid for something that is pretty core behavior to the CLI.
The easiest way that is occurring to me now would be to pass parsed_globals to _get_command_table, which would pass it in turn to _create_command_table. Then it could be added to the event. Let me know what you think of that approach and if you have any concerns with it. Happy to investigate further, but if you do come up with any suggestions let me know.
There was a problem hiding this comment.
I think originally I had two different potential events in mind:
top-level-args-parsed- This is the event for when the global args get parsed. It seemed suiting as we would just immediately set the global argument of--endpoint-urlat that stage and we can keep endpoint url mutations isolated to that stage. The only issue with that approach is that the session had technically not been initialized yet, so there may be unintended consequences/configuration resolution if we try to grab the region before that. This event also happens before even logging is enabled so that is a concern as well if we are trying to do any tracing of it.session-initialized- This seemed like the next best event to use as the session was initialized there. The only problem I saw in using this event is that we could not 100% capture correctly the service being used. Specifically, for CLI aliases the command that gets parsed is represented as the alias and not the underlying service command at that point. So we would be using the wrong endpoint if the command was under an alias.
This all being said. I don't know if I have a clear preference between building-command-table and before-building-argument-table-parser. They both share similar concerns, but it seems like we need an event lower into the stack to get this to work appropriately and I do not want to be adding a new event for this. I think for now let's just stick with before-building-argument-table-parser unless we get a better idea.
There was a problem hiding this comment.
Ok cool sounds good Kyle. I'll keep the behavior as is. I'll be adding the additional services that were missed in my script that you caught in yours shortly.
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
from
eb1af3b to
46eb4d4
Compare
dlm6693
commented
Aug 4, 2022
kyleknap
reviewed
Aug 10, 2022
| "us-east-1": "health.us-east-1.amazonaws.com", | ||
| "us-east-2": "health.us-east-1.amazonaws.com", | ||
| "us-west-1": "health.us-east-1.amazonaws.com", | ||
| "us-west-2": "health.us-east-1.amazonaws.com", |
There was a problem hiding this comment.
So when running the CLI manually with these hard coded endpoints, I'm getting the following error for non-us-east-1 regions when using health:
$ aws health describe-events --region us-west-2
An error occurred (InvalidSignatureException) when calling the DescribeEvents operation: Credential should be scoped to a valid region.
It looks like the reason this is happening is that health is defined as a non-regionalized service and thus has a default credentialScope of us-east-1 for the aws partition. We are going to have to adjust the logic here so that we also set the region to the default credential scope for health as well as the endpoint url. I would not worry about generalizing it too much. It should be just:
If we find we need to set the endpoint url for health:
- Call the
session.get_partition_for_region()for the provided region to determine the partition we are working in. - Map the partition to the value representing the region of the default credential scope for the partition (i.e. determine if the region we need to set should be
us-east-1,cn-northwest-1) - Set the region either on the
parsed_globalsor via thesession.set_config_variable()method, whatever does the job of making sure we use the correct credential scope for the region.
There was a problem hiding this comment.
alright i shot up a fix. i was getting the same error before making the fix, but a different one. not sure how to handle it since it was a subscription error but as far as i can tell there are no subscriptions in aws health.
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
from
9509150 to
a2a87c7
Compare
kyleknap
reviewed
Aug 16, 2022
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
from
6fdd27f to
efa3351
Compare
stealthycoin
suggested changes
Aug 16, 2022
There was a problem hiding this comment.
The code looks a lot better now, I think the one main thing I want to se updated before we merge is the commit title/message. This is a fairly involved change and we should document some of the conversations we had in here in the commit.
Think of someone trying to figure out why the code does what it does, and historically why we chose to do what we did. For example if someone was looking at the session.emit line from here and wondering why we added parsed_globals as an argument to that event and they check the git blame it just says "deprecate ssl common name" which is not helpful. You don't need to copy and paste all of the conversations into the commit, but I would like to see a few paragraphs outlining some of the important design considerations and consequences of this change.
|
@stealthycoin sure thing. i'll have something ready in a bit. |
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
3 times, most recently
from
9175185 to
01d71e3
Compare
kyleknap
reviewed
Aug 17, 2022
auditendpoints.py
Outdated
| @@ -0,0 +1,37 @@ | |||
| import json | |||
There was a problem hiding this comment.
I'm not sure if this file should have been added to the PR.
There was a problem hiding this comment.
Oops! I thought this was in my global git ignore but I guess it snuck through. Will remove
| { | ||
| "type": "enhancement", | ||
| "category": "Endpoints", | ||
| "description": "Allow usage of SSL common name with deprecation" |
There was a problem hiding this comment.
For the description, let's update it to: "Enforce SSL common name as default endpoint url". Mainly the wording is a bit more consistent with the change we are making as "Allow usage" is more indicative of adding an opt-in option or loosening a constraint.
There was a problem hiding this comment.
Got it! Will update.
In the comming months, the method by which every AWS SDK resolves their endpoints, including aws-cli v1 and boto3, will be udpated with completely different behavior. At this time,the use of the `sslCommonName` paradigm will be fully deprecated. Additionally, it was mainly used to support python 2.6, which has not been supported by boto3 or the CLI since January 1, 2020. The boto team wanted to ease the transition by raising a warning to users and providing an optional environment variable to fully disable the behavior immediately. However, this causes breaking changes in v1 of aws-cli so additional changes were required in it to release the deprecation. This commit attempts to formally maintain the `sslCommonName` paradigm in aws-cli v1. This is accomplished by providing hardcoded, manual overrides for each service and region combination where this parameter is used over the standard `hostname`. The list of these service/region combinations was compiled by creating a client for every single combination and emitting the `endpoint_url` to a file twice. The first using a version of botocore that uses `sslCommonName` and one that doesn't, then diffing the two files to see which URLs changed. While behavior for the end user will largely be the same, if they do not disable the common name behavior by setting the environment variable `BOTO_DISABLE_COMMONNAME` to `true`, a warning will be omitted in the console once per session. Additional details can be found in boto/botocore#2705. The override occurs when the `before-building-argument-table-parser` is omitted by an event handler. At this point, if the user has not set `endpoint_url` in `parsed_globals` (`--endpoint-url` flag from the command line) the endpoint that the CLI uses will be overridden to continue to use the SSL common name. There were a few different options of which event to run the override in, but ultimately this one was chosen because it was the least invasive to the existing code base. As this is very low level behavior for the CLI, minimizing the amount of changes made was prioritized over one that might seemt to make more logical sense like `top-level-args-parsed`, which is when the arguments passed to the command line are actually parsed through. However, the usage of a session instance was required in order to get config variables like region and partition. There is a strong possiblity that this customization override will run twice per call, but that is a design flaw the maintainers are aware of and have accpeted. Additionally for the `health` service, the region parameter needed to be overwritten because of it's use of pseudo regions like `aws-global`. In the other cases, the region within the URL essentially always matched the region, but since health uses the SSL common name in global pseudo regions, this change was required as well or an exception would be raised.
dlm6693
force-pushed
the
deprecate-ssl-common-name
branch
from
01d71e3 to
ce2d62c
Compare
stealthycoin
approved these changes
Aug 17, 2022
kyleknap
approved these changes
Aug 17, 2022
aws-sdk-python-automation
added a commit
that referenced
this pull request
Aug 17, 2022
* release-1.25.54: Bumping version to 1.25.54 Update changelog based on model updates Allow usage of SSL common name with deprecation. (#7114) Update get-secret-value.rst New CLI examples ecs, iotsitewise, ivs, appmesh, memorydb Update examples for secretsmanager
aws-sdk-python-automation
added a commit
that referenced
this pull request
Aug 17, 2022
* release-1.25.55: Bumping version to 1.25.55 Add changelog for revert Revert "Allow usage of SSL common name with deprecation. (#7114)"
hssyoo
pushed a commit
to hssyoo/aws-cli
that referenced
this pull request
Aug 18, 2022
In the comming months, the method by which every AWS SDK resolves their endpoints, including aws-cli v1 and boto3, will be udpated with completely different behavior. At this time,the use of the `sslCommonName` paradigm will be fully deprecated. Additionally, it was mainly used to support python 2.6, which has not been supported by boto3 or the CLI since January 1, 2020. The boto team wanted to ease the transition by raising a warning to users and providing an optional environment variable to fully disable the behavior immediately. However, this causes breaking changes in v1 of aws-cli so additional changes were required in it to release the deprecation. This commit attempts to formally maintain the `sslCommonName` paradigm in aws-cli v1. This is accomplished by providing hardcoded, manual overrides for each service and region combination where this parameter is used over the standard `hostname`. The list of these service/region combinations was compiled by creating a client for every single combination and emitting the `endpoint_url` to a file twice. The first using a version of botocore that uses `sslCommonName` and one that doesn't, then diffing the two files to see which URLs changed. While behavior for the end user will largely be the same, if they do not disable the common name behavior by setting the environment variable `BOTO_DISABLE_COMMONNAME` to `true`, a warning will be omitted in the console once per session. Additional details can be found in boto/botocore#2705. The override occurs when the `before-building-argument-table-parser` is omitted by an event handler. At this point, if the user has not set `endpoint_url` in `parsed_globals` (`--endpoint-url` flag from the command line) the endpoint that the CLI uses will be overridden to continue to use the SSL common name. There were a few different options of which event to run the override in, but ultimately this one was chosen because it was the least invasive to the existing code base. As this is very low level behavior for the CLI, minimizing the amount of changes made was prioritized over one that might seemt to make more logical sense like `top-level-args-parsed`, which is when the arguments passed to the command line are actually parsed through. However, the usage of a session instance was required in order to get config variables like region and partition. There is a strong possiblity that this customization override will run twice per call, but that is a design flaw the maintainers are aware of and have accpeted. Additionally for the `health` service, the region parameter needed to be overwritten because of it's use of pseudo regions like `aws-global`. In the other cases, the region within the URL essentially always matched the region, but since health uses the SSL common name in global pseudo regions, this change was required as well or an exception would be raised.
hssyoo
pushed a commit
to hssyoo/aws-cli
that referenced
this pull request
Aug 18, 2022
This reverts commit eb696a8.
ConnorKirk
pushed a commit
to ConnorKirk/aws-cli
that referenced
this pull request
Oct 28, 2022
In the comming months, the method by which every AWS SDK resolves their endpoints, including aws-cli v1 and boto3, will be udpated with completely different behavior. At this time,the use of the `sslCommonName` paradigm will be fully deprecated. Additionally, it was mainly used to support python 2.6, which has not been supported by boto3 or the CLI since January 1, 2020. The boto team wanted to ease the transition by raising a warning to users and providing an optional environment variable to fully disable the behavior immediately. However, this causes breaking changes in v1 of aws-cli so additional changes were required in it to release the deprecation. This commit attempts to formally maintain the `sslCommonName` paradigm in aws-cli v1. This is accomplished by providing hardcoded, manual overrides for each service and region combination where this parameter is used over the standard `hostname`. The list of these service/region combinations was compiled by creating a client for every single combination and emitting the `endpoint_url` to a file twice. The first using a version of botocore that uses `sslCommonName` and one that doesn't, then diffing the two files to see which URLs changed. While behavior for the end user will largely be the same, if they do not disable the common name behavior by setting the environment variable `BOTO_DISABLE_COMMONNAME` to `true`, a warning will be omitted in the console once per session. Additional details can be found in boto/botocore#2705. The override occurs when the `before-building-argument-table-parser` is omitted by an event handler. At this point, if the user has not set `endpoint_url` in `parsed_globals` (`--endpoint-url` flag from the command line) the endpoint that the CLI uses will be overridden to continue to use the SSL common name. There were a few different options of which event to run the override in, but ultimately this one was chosen because it was the least invasive to the existing code base. As this is very low level behavior for the CLI, minimizing the amount of changes made was prioritized over one that might seemt to make more logical sense like `top-level-args-parsed`, which is when the arguments passed to the command line are actually parsed through. However, the usage of a session instance was required in order to get config variables like region and partition. There is a strong possiblity that this customization override will run twice per call, but that is a design flaw the maintainers are aware of and have accpeted. Additionally for the `health` service, the region parameter needed to be overwritten because of it's use of pseudo regions like `aws-global`. In the other cases, the region within the URL essentially always matched the region, but since health uses the SSL common name in global pseudo regions, this change was required as well or an exception would be raised.
ConnorKirk
pushed a commit
to ConnorKirk/aws-cli
that referenced
this pull request
Oct 28, 2022
This reverts commit eb696a8.
godd9170
pushed a commit
to godd9170/aws-cli
that referenced
this pull request
Mar 7, 2023
In the comming months, the method by which every AWS SDK resolves their endpoints, including aws-cli v1 and boto3, will be udpated with completely different behavior. At this time,the use of the `sslCommonName` paradigm will be fully deprecated. Additionally, it was mainly used to support python 2.6, which has not been supported by boto3 or the CLI since January 1, 2020. The boto team wanted to ease the transition by raising a warning to users and providing an optional environment variable to fully disable the behavior immediately. However, this causes breaking changes in v1 of aws-cli so additional changes were required in it to release the deprecation. This commit attempts to formally maintain the `sslCommonName` paradigm in aws-cli v1. This is accomplished by providing hardcoded, manual overrides for each service and region combination where this parameter is used over the standard `hostname`. The list of these service/region combinations was compiled by creating a client for every single combination and emitting the `endpoint_url` to a file twice. The first using a version of botocore that uses `sslCommonName` and one that doesn't, then diffing the two files to see which URLs changed. While behavior for the end user will largely be the same, if they do not disable the common name behavior by setting the environment variable `BOTO_DISABLE_COMMONNAME` to `true`, a warning will be omitted in the console once per session. Additional details can be found in boto/botocore#2705. The override occurs when the `before-building-argument-table-parser` is omitted by an event handler. At this point, if the user has not set `endpoint_url` in `parsed_globals` (`--endpoint-url` flag from the command line) the endpoint that the CLI uses will be overridden to continue to use the SSL common name. There were a few different options of which event to run the override in, but ultimately this one was chosen because it was the least invasive to the existing code base. As this is very low level behavior for the CLI, minimizing the amount of changes made was prioritized over one that might seemt to make more logical sense like `top-level-args-parsed`, which is when the arguments passed to the command line are actually parsed through. However, the usage of a session instance was required in order to get config variables like region and partition. There is a strong possiblity that this customization override will run twice per call, but that is a design flaw the maintainers are aware of and have accpeted. Additionally for the `health` service, the region parameter needed to be overwritten because of it's use of pseudo regions like `aws-global`. In the other cases, the region within the URL essentially always matched the region, but since health uses the SSL common name in global pseudo regions, this change was required as well or an exception would be raised.
godd9170
pushed a commit
to godd9170/aws-cli
that referenced
this pull request
Mar 7, 2023
This reverts commit eb696a8.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an attempt to maintain the usage of
sslCommonNamein the AWS CLI. A handler is added that adds theendpoint-urlarg to any given command if the user has not provided it themselves and the service and region are a match from a provided list.It will be deprecated in botocore but cannot in the CLI as it causes breaking changes. This PR will counteract that. All SSL common name endpoints are hardcoded