Add support for Http client cert and key to support mTLS (#3100)

aws · Sep 9, 2024 · 804ab42 · 804ab42
1 parent f6bc670
commit 804ab42
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Add support for `ssl_cert` and `ssl_key` configuration options to support mTLS.
+
 3.203.0 (2024-09-03)
 ------------------
 

diff --git a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb
@@ -34,7 +34,9 @@ class ConnectionPool
           ssl_ca_bundle: nil,
           ssl_ca_directory: nil,
           ssl_ca_store: nil,
-          ssl_timeout: nil
+          ssl_timeout: nil,
+          ssl_cert: nil,
+          ssl_key: nil
         }
 
         # @api private
@@ -246,7 +248,9 @@ def pool_options options
               :ssl_ca_bundle => options[:ssl_ca_bundle],
               :ssl_ca_directory => options[:ssl_ca_directory],
               :ssl_ca_store => options[:ssl_ca_store],
-              :ssl_timeout => options[:ssl_timeout]
+              :ssl_timeout => options[:ssl_timeout],
+              :ssl_cert => options[:ssl_cert],
+              :ssl_key => options[:ssl_key]
             }
           end
 
@@ -291,6 +295,8 @@ def start_session endpoint
               http.ca_file = ssl_ca_bundle if ssl_ca_bundle
               http.ca_path = ssl_ca_directory if ssl_ca_directory
               http.cert_store = ssl_ca_store if ssl_ca_store
+              http.cert = ssl_cert if ssl_cert
+              http.key = ssl_key if ssl_key
             else
               http.verify_mode = OpenSSL::SSL::VERIFY_NONE
             end

diff --git a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb
@@ -70,6 +70,15 @@ class NetHttp < Plugin
           resolve_ssl_timeout(cfg)
         end
 
+        option(:ssl_cert, default: nil, doc_type: OpenSSL::X509::Certificate, docstring: <<-DOCS)
+Sets a client certificate when creating http connections.
+        DOCS
+
+
+        option(:ssl_key, default: nil, doc_type: OpenSSL::PKey, docstring: <<-DOCS)
+Sets a client key when creating http connections.
+        DOCS
+
         option(:logger) # for backwards compat
 
         handler(Client::NetHttp::Handler, step: :send)

diff --git a/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb b/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb
@@ -102,6 +102,14 @@ module Plugins
           it 'adds a :ssl_ca_store option without default' do
             expect(config.ssl_ca_store).to eq(nil)
           end
+
+          it 'adds a :ssl_cert option with no default' do
+            expect(config.ssl_cert).to eq(nil)
+          end
+
+          it 'adds a :ssl_key option with no default' do
+            expect(config.ssl_key).to eq(nil)
+          end
         end
 
         describe '#add_handlers' do