From 804ab42ef0d57a54a595dda13ef7644e034eef9e Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Mon, 9 Sep 2024 13:45:01 -0700 Subject: [PATCH] Add support for Http client cert and key to support mTLS (#3100) --- gems/aws-sdk-core/CHANGELOG.md | 2 ++ .../lib/seahorse/client/net_http/connection_pool.rb | 10 ++++++++-- .../lib/seahorse/client/plugins/net_http.rb | 9 +++++++++ .../spec/seahorse/client/plugins/net_http_spec.rb | 8 ++++++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md index 67f220208fa..3b8a970d019 100644 --- a/gems/aws-sdk-core/CHANGELOG.md +++ b/gems/aws-sdk-core/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased Changes ------------------ +* Issue - Add support for `ssl_cert` and `ssl_key` configuration options to support mTLS. + 3.203.0 (2024-09-03) ------------------ diff --git a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb index a777b561817..e6285ce8a29 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/net_http/connection_pool.rb @@ -34,7 +34,9 @@ class ConnectionPool ssl_ca_bundle: nil, ssl_ca_directory: nil, ssl_ca_store: nil, - ssl_timeout: nil + ssl_timeout: nil, + ssl_cert: nil, + ssl_key: nil } # @api private @@ -246,7 +248,9 @@ def pool_options options :ssl_ca_bundle => options[:ssl_ca_bundle], :ssl_ca_directory => options[:ssl_ca_directory], :ssl_ca_store => options[:ssl_ca_store], - :ssl_timeout => options[:ssl_timeout] + :ssl_timeout => options[:ssl_timeout], + :ssl_cert => options[:ssl_cert], + :ssl_key => options[:ssl_key] } end @@ -291,6 +295,8 @@ def start_session endpoint http.ca_file = ssl_ca_bundle if ssl_ca_bundle http.ca_path = ssl_ca_directory if ssl_ca_directory http.cert_store = ssl_ca_store if ssl_ca_store + http.cert = ssl_cert if ssl_cert + http.key = ssl_key if ssl_key else http.verify_mode = OpenSSL::SSL::VERIFY_NONE end diff --git a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb index 75b122f9eb7..7b36300be02 100644 --- a/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb +++ b/gems/aws-sdk-core/lib/seahorse/client/plugins/net_http.rb @@ -70,6 +70,15 @@ class NetHttp < Plugin resolve_ssl_timeout(cfg) end + option(:ssl_cert, default: nil, doc_type: OpenSSL::X509::Certificate, docstring: <<-DOCS) +Sets a client certificate when creating http connections. + DOCS + + + option(:ssl_key, default: nil, doc_type: OpenSSL::PKey, docstring: <<-DOCS) +Sets a client key when creating http connections. + DOCS + option(:logger) # for backwards compat handler(Client::NetHttp::Handler, step: :send) diff --git a/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb b/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb index 9258789e7b0..6ebb5e4a046 100644 --- a/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb +++ b/gems/aws-sdk-core/spec/seahorse/client/plugins/net_http_spec.rb @@ -102,6 +102,14 @@ module Plugins it 'adds a :ssl_ca_store option without default' do expect(config.ssl_ca_store).to eq(nil) end + + it 'adds a :ssl_cert option with no default' do + expect(config.ssl_cert).to eq(nil) + end + + it 'adds a :ssl_key option with no default' do + expect(config.ssl_key).to eq(nil) + end end describe '#add_handlers' do