feat: support mTLS and anonymous aliases#213
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds new alias capabilities to the CLI and S3/admin clients: (1) configuring aliases that intentionally perform unsigned (anonymous) requests, and (2) configuring mTLS client identity (client cert/key) for endpoints that require mutual TLS. It also updates CLI output and contract tests to surface and validate these new alias properties.
Changes:
- Extend alias configuration to include
anonymous,client_cert, andclient_key, and validate these combinations inrc alias set. - Wire mTLS identity into the reqwest clients used by S3 XML requests and admin API requests, and skip SigV4 signing when
anonymousis enabled. - Extend alias list output (JSON + long human output) and update CLI contract tests accordingly.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/s3/src/client.rs | Adds mTLS support to reqwest client construction and skips XML SigV4 signing when anonymous; updates SDK config handling and tests. |
| crates/s3/src/admin.rs | Adds mTLS identity support for admin client and skips SigV4 signing when anonymous. |
| crates/core/src/config.rs | Updates config test fixtures to include new alias fields. |
| crates/core/src/alias.rs | Adds anonymous, client_cert, client_key fields to the alias model with serde defaults. |
| crates/cli/src/commands/alias.rs | Adds --anonymous, --client-cert, --client-key flags; makes credentials positional args optional; surfaces auth/mTLS state in list output. |
| crates/cli/tests/help_contract.rs | Updates help contract expectations for the new alias set usage/flags. |
| crates/cli/tests/error_contract.rs | Adds contract tests for anonymous aliases and client identity validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: 安正超 <anzhengchao@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rc alias set --anonymousso aliases can be created without SigV4 credentials, and skip signing for custom XML/admin HTTP requests when anonymous mode is enabled.--client-cert/--client-keyalias options and wire the PEM client identity into the reqwest clients used for S3 XML and admin requests.auth_modeandmtlsin alias JSON output and long human output, with validation/tests for anonymous credentials and partial client identity inputs.Closes #209
Validation
cargo test -p rustfs-cli --test help_contract -- --nocapturecargo test -p rustfs-cli --test error_contract -- --nocapturecargo test -p rustfs-cli alias -- --nocapturecargo test -p rc-s3 test_admin_client_invalid_ca_bundle_path_surfaces_error -- --nocapturecargo test --workspace -j1; local macOS run was terminated with SIGTERM while running the existingclient::tests::delete_bucket_cors_missing_configuration_is_successfulafter the earlier suites passed.BREAKING CHANGES
This change adds new alias configuration behavior and fields for
auth_modeandmtlscompatibility.