chore: add clippy rule for reqwest::Client::builder

apiarian-datadog · apiarian-datadog · commit 30f419f13508 · 2025-04-29T13:00:47.000-04:00
diff --git a/clippy.toml b/clippy.toml
@@ -0,0 +1,3 @@
+disallowed-methods = [
+  { path = "reqwest::Client::builder", reason = "prefer the FIPS-compatible adapter", replacement = "datadog_serverless_fips::reqwest_adapter::create_reqwest_client_builder" },
+]
diff --git a/crates/datadog-serverless-fips/README.md b/crates/datadog-serverless-fips/README.md
@@ -1,3 +1,12 @@
-# Datadog Serverless FIPS
+# Datadog FIPS for Serverless
 
-A package to support FIPS builds for serverless tools. Currently tested with the datadog-lambda-extension, but it may be useful in other environments.
+A package to support FIPS builds for serverless tools. Currently tested with
+the datadog-lambda-extension, but it may be useful in other environments.
+
+Please add the following to your `clippy.toml`:
+
+```
+disallowed-methods = [
+  { path = "reqwest::Client::builder", reason = "prefer the FIPS-compatible adapter", replacement = "datadog_serverless_fips::reqwest_adapter::create_reqwest_client_builder" },
+]
+```
diff --git a/crates/datadog-serverless-fips/src/reqwest_adapter.rs b/crates/datadog-serverless-fips/src/reqwest_adapter.rs
@@ -8,7 +8,9 @@ use tracing::debug;
 /// Otherwise, it uses reqwest's default rustls TLS implementation.
 #[cfg(not(feature = "fips"))]
 pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>> {
-    // Just return the default builder with rustls TLS
+    // Just return the default builder with rustls TLS. This is the one place we should be okay
+    // to call reqwest::Client::builder().
+    #[allow(clippy::disallowed_methods)]
     Ok(reqwest::Client::builder().use_rustls_tls())
 }
 
@@ -55,5 +57,7 @@ pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>>
     }
     debug!("Client builder is configured with FIPS.");
 
+    // This is the one place that it is okay to call reqwest::Client::builder().
+    #[allow(clippy::disallowed_methods)]
     Ok(reqwest::Client::builder().use_preconfigured_tls(config))
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+disallowed-methods = [`
	`2`	`+ { path = "reqwest::Client::builder", reason = "prefer the FIPS-compatible adapter", replacement = "datadog_serverless_fips::reqwest_adapter::create_reqwest_client_builder" },`
	`3`	`+]`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,9 @@ use tracing::debug;`
`8`	`8`	`/// Otherwise, it uses reqwest's default rustls TLS implementation.`
`9`	`9`	`#[cfg(not(feature = "fips"))]`
`10`	`10`	`pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>> {`
`11`		`- // Just return the default builder with rustls TLS`
	`11`	`+ // Just return the default builder with rustls TLS. This is the one place we should be okay`
	`12`	`+ // to call reqwest::Client::builder().`
	`13`	`+ #[allow(clippy::disallowed_methods)]`
`12`	`14`	`Ok(reqwest::Client::builder().use_rustls_tls())`
`13`	`15`	`}`
`14`	`16`
`@@ -55,5 +57,7 @@ pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>>`
`55`	`57`	`}`
`56`	`58`	`debug!("Client builder is configured with FIPS.");`
`57`	`59`
	`60`	`+ // This is the one place that it is okay to call reqwest::Client::builder().`
	`61`	`+ #[allow(clippy::disallowed_methods)]`
`58`	`62`	`Ok(reqwest::Client::builder().use_preconfigured_tls(config))`
`59`	`63`	`}`