chore: move all the fips-ish things to their own mini-package

apiarian-datadog · apiarian-datadog · commit e930cdcc6805 · 2025-04-29T12:04:07.000-04:00
diff --git a/bottlecap/src/bin/bottlecap/main.rs b/bottlecap/src/bin/bottlecap/main.rs
@@ -18,6 +18,7 @@ use bottlecap::{
     },
     event_bus::bus::EventBus,
     events::Event,
+    fips::{log_fips_status, prepare_client_provider},
     lifecycle::{
         flush_control::FlushControl, invocation::processor::Processor as InvocationProcessor,
         listener::Listener as LifecycleListener,
@@ -79,42 +80,6 @@ use tokio_util::sync::CancellationToken;
 use tracing::{debug, error};
 use tracing_subscriber::EnvFilter;
 
-#[cfg(all(feature = "default", feature = "fips"))]
-compile_error!("When building in fips mode, the default feature must be disabled");
-
-#[cfg(feature = "fips")]
-fn log_fips_status() {
-    debug!("FIPS mode is enabled");
-}
-
-#[cfg(not(feature = "fips"))]
-fn log_fips_status() {
-    debug!("FIPS mode is disabled");
-}
-
-/// Sets up the client provider for TLS operations.
-/// In FIPS mode, this installs the AWS-LC crypto provider.
-/// In non-FIPS mode, this is a no-op.
-#[cfg(feature = "fips")]
-fn prepare_client_provider() -> Result<()> {
-    rustls::crypto::default_fips_provider()
-        .install_default()
-        .map_err(|e| {
-            Error::new(
-                std::io::ErrorKind::InvalidData,
-                format!("Failed to set up fips provider: {e:?}"),
-            )
-        })
-}
-
-#[cfg(not(feature = "fips"))]
-// this is not unnecessary since the fips version can return an error
-#[allow(clippy::unnecessary_wraps)]
-fn prepare_client_provider() -> Result<()> {
-    // No-op in non-FIPS mode
-    Ok(())
-}
-
 #[derive(Clone, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct RegisterResponse {
diff --git a/bottlecap/src/fips/mod.rs b/bottlecap/src/fips/mod.rs
@@ -0,0 +1,56 @@
+// This module contains all of the things we do a little bit differently when we compile for FIPS
+// mode. This is used in conjunction with the datadog-serverless-fips crate to ensure that when we
+// compile the extension in FIPS mode, everything is built and configured correctly.
+
+#[cfg(feature = "fips")]
+use std::io::Error;
+use std::io::Result;
+use tracing::debug;
+
+#[cfg(all(feature = "default", feature = "fips"))]
+compile_error!("When building in fips mode, the default feature must be disabled");
+
+#[cfg(feature = "fips")]
+pub fn log_fips_status() {
+    debug!("FIPS mode is enabled");
+}
+
+#[cfg(not(feature = "fips"))]
+pub fn log_fips_status() {
+    debug!("FIPS mode is disabled");
+}
+
+/// Sets up the client provider for TLS operations.
+/// In FIPS mode, this installs the AWS-LC crypto provider.
+/// In non-FIPS mode, this is a no-op.
+#[cfg(feature = "fips")]
+pub fn prepare_client_provider() -> Result<()> {
+    rustls::crypto::default_fips_provider()
+        .install_default()
+        .map_err(|e| {
+            Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!("Failed to set up fips provider: {e:?}"),
+            )
+        })
+}
+
+#[cfg(not(feature = "fips"))]
+// this is not unnecessary since the fips version can return an error
+#[allow(clippy::unnecessary_wraps)]
+pub fn prepare_client_provider() -> Result<()> {
+    // No-op in non-FIPS mode
+    Ok(())
+}
+
+#[cfg(not(feature = "fips"))]
+#[must_use]
+pub fn compute_aws_api_host(service: &String, region: &String, domain: &str) -> String {
+    format!("{service}.{region}.{domain}")
+}
+
+#[cfg(feature = "fips")]
+#[must_use]
+pub fn compute_aws_api_host(service: &String, region: &String, domain: &str) -> String {
+    format!("{service}-fips.{region}.{domain}")
+}
diff --git a/bottlecap/src/lib.rs b/bottlecap/src/lib.rs
@@ -20,6 +20,7 @@
 pub mod config;
 pub mod event_bus;
 pub mod events;
+pub mod fips;
 pub mod http_client;
 pub mod lifecycle;
 pub mod logger;
diff --git a/bottlecap/src/secrets/decrypt.rs b/bottlecap/src/secrets/decrypt.rs
@@ -1,4 +1,5 @@
 use crate::config::{aws::AwsConfig, Config};
+use crate::fips::compute_aws_api_host;
 use base64::prelude::*;
 use chrono::{DateTime, Utc};
 use datadog_serverless_fips::reqwest_adapter::create_reqwest_client_builder;
@@ -226,16 +227,6 @@ async fn request(
     Ok(v)
 }
 
-#[cfg(not(feature = "fips"))]
-fn compute_host(service: &String, region: &String, domain: &str) -> String {
-    format!("{service}.{region}.{domain}")
-}
-
-#[cfg(feature = "fips")]
-fn compute_host(service: &String, region: &String, domain: &str) -> String {
-    format!("{service}-fips.{region}.{domain}")
-}
-
 fn build_get_secret_signed_headers(
     aws_config: &AwsConfig,
     region: String,
@@ -250,7 +241,7 @@ fn build_get_secret_signed_headers(
         "amazonaws.com"
     };
 
-    let host = compute_host(&header_values.service, &region, domain);
+    let host = compute_aws_api_host(&header_values.service, &region, domain);
 
     let canonical_uri = "/";
     let canonical_querystring = "";
