schnauzer: set FIPS ECR registry endpoint if in FIPS mode

Extend the ecr-prefix helper to automatically set ECR registry endpoint
to its FIPS equivalent if both in a FIPS supported region and running on
a FIPS enabled variant.

Signed-off-by: Gavin Inglis <[email protected]>

sources/api/schnauzer/src/helpers/mod.rs

@@ -78,6 +78,9 @@ lazy_static! {
 const ECR_FALLBACK_REGION: &str = "us-east-1";
 const ECR_FALLBACK_REGISTRY: &str = "328549459982";
 
+/// Filepath to FIPS configuration.
+const PROC_SYS_CRYPTO_FIPS_ENABLED: &str = "/proc/sys/crypto/fips_enabled";
+
 lazy_static! {
     /// A map to tell us which endpoint to pull updates from for a given region.
     static ref TUF_ENDPOINT_MAP: HashMap<&'static str, &'static str> = {
@@ -519,6 +522,14 @@ pub fn tuf_prefix(
     Ok(())
 }
 
+/// Utility function to determine if a variant is in FIPS mode based
+/// on /proc/sys/crypto/fips_enabled.
+fn fips_enabled() -> bool {
+    std::fs::read_to_string(PROC_SYS_CRYPTO_FIPS_ENABLED)
+        .map(|s| s.trim() == "1")
+        .unwrap_or(false)
+}
+
 /// The `metadata-prefix` helper is used to map an AWS region to the correct
 /// metadata location inside of the TUF repository.
 ///
@@ -1426,7 +1437,18 @@ fn ecr_registry<S: AsRef<str>>(region: S) -> String {
     match partition {
         "aws-cn" => format!("{}.dkr.ecr.{}.amazonaws.com.cn", registry_id, region),
         "aws-iso-e" => format!("{}.dkr.ecr.{}.cloud.adc-e.uk", registry_id, region),
-        _ => format!("{}.dkr.ecr.{}.amazonaws.com", registry_id, region),
+        _ => format!(
+            "{}.dkr.ecr{}.{}.amazonaws.com",
+            registry_id,
+            // Only inject the fips service endpoint if the variant is in FIPS mode and the
+            // region supports FIPS.
+            if fips_enabled() && region.starts_with("us-") {
+                "-fips"
+            } else {
+                ""
+            },
+            region
+        ),
     }
 }