chore: move reqwest adapter to the new datadog-serverless-fips crate

Author: apiarian-datadog

.github/workflows/cargo.yml

@@ -53,7 +53,14 @@ jobs:
         shell: bash
         run: chmod +x ./scripts/install-protoc.sh && ./scripts/install-protoc.sh $HOME
       - shell: bash
-        run: cargo clippy --workspace --all-features
+        run: |
+          if [[ "${{ inputs.runner }}" == "windows-2022" ]]; then
+            # we don't technially support the datadog-serverless-fips module on
+            # windows right now anyway, so let's set this so that the windows
+            # build doesn't fail.
+            export AWS_LC_FIPS_SYS_NO_ASM=1
+          fi
+          cargo clippy --workspace --all-features
 
   build:
     name: Build

Cargo.lock

@@ -0,0 +1,17 @@
+[package]
+name = "datadog-serverless-fips"
+version = "0.1.0"
+edition.workspace = true
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+[dependencies]
+reqwest = { version = "0.12.4", features = ["json", "http2"], default-features = false }
+rustls = { version = "0.23.18", default-features = false, features = ["fips"], optional = true }
+rustls-native-certs = { version = "0.8.1", optional = true }
+tracing = { version = "0.1.40", default-features = false }
+
+[features]
+default = [ "reqwest/rustls-tls" ]
+fips = [ "reqwest/rustls-tls-no-provider", "rustls", "rustls-native-certs" ]

crates/datadog-serverless-fips/Cargo.toml

@@ -0,0 +1,3 @@
+# Datadog Serverless FIPS
+
+A package to support FIPS builds for serverless tools. Currently tested with the datadog-lambda-extension, but it may be useful in other environments.

crates/datadog-serverless-fips/README.md

@@ -0,0 +1,4 @@
+// Copyright 2025-Present Datadog, Inc. https://www.datadoghq.com/
+// SPDX-License-Identifier: Apache-2.0
+
+pub mod reqwest_adapter;

crates/datadog-serverless-fips/src/lib.rs

@@ -3,10 +3,6 @@ use std::error::Error;
 #[cfg(feature = "fips")]
 use tracing::debug;
 
-// TODO: once we confirm that this does what we think it does we'll move it to a separate crate.
-// for now going to copy the this code to bottlecap and make sure that all the clients we build do
-// in fact do the fips thing right.
-
 /// Creates a reqwest client builder with TLS configuration.
 /// When the "fips" feature is enabled, it uses a FIPS-compliant TLS configuration.
 /// Otherwise, it uses reqwest's default rustls TLS implementation.
@@ -20,60 +16,44 @@ pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>>
 /// This version loads native root certificates and verifies FIPS compliance.
 #[cfg(feature = "fips")]
 pub fn create_reqwest_client_builder() -> Result<ClientBuilder, Box<dyn Error>> {
-    // Get the runtime crypto provider that should have been configured elsewhere in the application
+    // Get the runtime crypto provider that should have been configured at the start of the
+    // application using something like rustls::crypto::default_fips_provider().install_default()
     let provider =
         rustls::crypto::CryptoProvider::get_default().ok_or("No crypto provider configured")?;
 
-    // Verify the provider is FIPS-compliant
     if !provider.fips() {
         return Err("Crypto provider is not FIPS-compliant".into());
     }
 
-    // Create an empty root cert store
     let mut root_cert_store = rustls::RootCertStore::empty();
-
-    // Load native certificates
     let native_certs = rustls_native_certs::load_native_certs();
-
-    // Add the certificates to the store
     let mut valid_count = 0;
-
     for cert in native_certs.certs {
         match root_cert_store.add(cert) {
             Ok(()) => valid_count += 1,
             Err(err) => {
-                // Optionally log errors
                 debug!("Failed to parse certificate: {:?}", err);
             }
         }
     }
-
-    // Verify we have at least some valid certificates
     if valid_count == 0 {
         return Err("No valid certificates found in native root store".into());
     }
 
-    // Configure TLS versions (FIPS typically requires TLS 1.2 or higher)
+    // FIPS typically requires TLS 1.2 or higher
     let versions = rustls::ALL_VERSIONS.to_vec();
-
-    // Build the client config
     let config_builder = rustls::ClientConfig::builder_with_provider(provider.clone())
         .with_protocol_versions(&versions)
         .map_err(|_| "Failed to set protocol versions")?;
 
-    // Complete the configuration without client authentication
     let config = config_builder
         .with_root_certificates(root_cert_store)
         .with_no_client_auth();
 
-    // Verify the final config is FIPS-compliant
     if !config.fips() {
         return Err("The final TLS configuration is not FIPS-compliant".into());
     }
-    debug!("Client Builder is in FIPS mode");
-
-    // Create the reqwest client builder with our FIPS-compliant TLS configuration
-    let client_builder = reqwest::Client::builder().use_preconfigured_tls(config);
+    debug!("Client builder is configured with FIPS.");
 
-    Ok(client_builder)
+    Ok(reqwest::Client::builder().use_preconfigured_tls(config))
 }

crates/dogstatsd/src/fips.rs …g-serverless-fips/src/reqwest_adapter.rscrates/dogstatsd/src/fips.rs renamed to crates/datadog-serverless-fips/src/reqwest_adapter.rs crates/dogstatsd/src/fips.rs renamed to crates/datadog-serverless-fips/src/reqwest_adapter.rs

@@ -24,9 +24,7 @@ tokio-util = { version = "0.7.11", default-features = false }
 tracing = { version = "0.1.40", default-features = false }
 regex = { version = "1.10.6", default-features = false }
 zstd = { version = "0.13.3", default-features = false }
-rustls = { version = "0.23.18", default-features = false, features = ["fips"], optional = true }
-rustls-native-certs = { version = "0.8.1", optional = true }
-
+datadog-serverless-fips = { path = "../datadog-serverless-fips", default-features = false }
 
 [dev-dependencies]
 mockito = { version = "1.5.0", default-features = false }
@@ -35,4 +33,4 @@ tracing-test = { version = "0.2.5", default-features = false }
 
 [features]
 default = [ "reqwest/rustls-tls" ]
-fips = [ "reqwest/rustls-tls-no-provider", "rustls", "rustls-native-certs" ]
+fips = [ "reqwest/rustls-tls-no-provider", "datadog-serverless-fips/fips" ]

crates/dogstatsd/Cargo.toml

@@ -3,9 +3,9 @@
 
 //!Types to serialize data into the Datadog API
 
-use crate::fips::create_reqwest_client_builder;
 use crate::flusher::ShippingError;
 use datadog_protos::metrics::SketchPayload;
+use datadog_serverless_fips::reqwest_adapter::create_reqwest_client_builder;
 use derive_more::{Display, Into};
 use protobuf::Message;
 use regex::Regex;

crates/dogstatsd/src/datadog.rs

@@ -12,6 +12,5 @@ pub mod constants;
 pub mod datadog;
 pub mod dogstatsd;
 pub mod errors;
-pub mod fips;
 pub mod flusher;
 pub mod metric;