Use Host header for AWS SigV4 signing (#97)

* resolves #96 * added tests to reproduce issue #96 * executed webpack
grafana · Apr 2, 2024 · 79a5893 · 79a5893
1 parent 358d316
commit 79a5893
Show file tree

Hide file tree

Showing 24 changed files with 73 additions and 24 deletions.
diff --git a/dist/aws.js b/dist/aws.js
diff --git a/dist/aws.js.map b/dist/aws.js.map
diff --git a/dist/event-bridge.js b/dist/event-bridge.js
diff --git a/dist/event-bridge.js.map b/dist/event-bridge.js.map
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/kinesis.js b/dist/kinesis.js
diff --git a/dist/kinesis.js.map b/dist/kinesis.js.map
diff --git a/dist/kms.js b/dist/kms.js
diff --git a/dist/kms.js.map b/dist/kms.js.map
diff --git a/dist/lambda.js b/dist/lambda.js
diff --git a/dist/lambda.js.map b/dist/lambda.js.map
diff --git a/dist/s3.js b/dist/s3.js
diff --git a/dist/s3.js.map b/dist/s3.js.map
diff --git a/dist/secrets-manager.js b/dist/secrets-manager.js
diff --git a/dist/secrets-manager.js.map b/dist/secrets-manager.js.map
diff --git a/dist/signature.js b/dist/signature.js
diff --git a/dist/signature.js.map b/dist/signature.js.map
diff --git a/dist/sqs.js b/dist/sqs.js
diff --git a/dist/sqs.js.map b/dist/sqs.js.map
diff --git a/dist/ssm.js b/dist/ssm.js
diff --git a/dist/ssm.js.map b/dist/ssm.js.map
diff --git a/src/internal/signature.ts b/src/internal/signature.ts
@@ -99,7 +99,10 @@ export class SignatureV4 {
         //   Standard headers like content-type are optional.
         //   For HTTP/2 requests, you must include the :authority header instead of
         //   the host header. Different services might require other headers."
-        request.headers[constants.HOST_HEADER] = request.endpoint.hostname
+        if (!request.headers[constants.HOST_HEADER]) {
+          request.headers[constants.HOST_HEADER] = request.endpoint.hostname
+      }
+
 
         // Filter out headers that will be generated and managed by the signing process.
         // If the user provide any of those as part of the HTTPRequest's headers, they
@@ -214,7 +217,9 @@ export class SignatureV4 {
         //   Standard headers like content-type are optional.
         //   For HTTP/2 requests, you must include the :authority header instead of
         //   the host header. Different services might require other headers."
-        request.headers[constants.HOST_HEADER] = originalRequest.endpoint.hostname
+        if (!request.headers[constants.HOST_HEADER]) {
+          request.headers[constants.HOST_HEADER] = originalRequest.endpoint.hostname
+      }
 
         // If the user provided a session token, include it in the signed url query string.
         if (this.credentials.sessionToken) {

diff --git a/tests/internal/signature.js b/tests/internal/signature.js
@@ -63,6 +63,26 @@ export function signatureV4TestSuite() {
                 )
             })
 
+            describe('#sign should sign requests to target endpoint different from host (proxy use case)', () => {
+              const { headers } = signer.sign(
+                  {
+                      method: 'POST',
+                      endpoint: new Endpoint('https://target-foo.us-bar-1.amazonaws.com'),
+                      path: '/',
+                      headers: {
+                          host: 'foo.us-bar-1.amazonaws.com',
+                      },
+                  },
+                  {
+                      signingDate: new Date('2000-01-01T00:00:00Z'),
+                  }
+              )
+
+              expect(headers[AUTHORIZATION_HEADER]).to.equal(
+                  'AWS4-HMAC-SHA256 Credential=foo/20000101/us-bar-1/foo/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=1e3b24fcfd7655c0c245d99ba7b6b5ca6174eab903ebfbda09ce457af062ad30'
+              )
+          })
+
             describe('#sign should support overriding region and service in the signer instance', () => {
                 const signer = new SignatureV4({
                     credentials: credentials,
@@ -409,6 +429,30 @@ export function signatureV4TestSuite() {
                 })
             })
 
+            describe('should presign requests to target endpoint different from host (proxy use case)', () => {
+              const { query } = signer.presign(
+                  {
+                      method: 'POST',
+                      endpoint: new Endpoint('https://target-foo.us-bar-1.amazonaws.com'),
+                      path: '/',
+                      headers: {
+                          host: 'foo.us-bar-1.amazonaws.com',
+                      },
+                  },
+                  presigningOptions
+              )
+
+              expect(query).to.deep.equal({
+                  [AMZ_ALGORITHM_QUERY_PARAM]: SIGNING_ALGORITHM_IDENTIFIER,
+                  [AMZ_CREDENTIAL_QUERY_PARAM]: 'foo/20000101/us-bar-1/foo/aws4_request',
+                  [AMZ_DATE_QUERY_PARAM]: '20000101T000000Z',
+                  [AMZ_EXPIRES_QUERY_PARAM]: presigningOptions.expiresIn.toString(),
+                  [AMZ_SIGNED_HEADERS_QUERY_PARAM]: HOST_HEADER,
+                  [AMZ_SIGNATURE_QUERY_PARAM]:
+                      '46f0091f3e84cbd4552a184f43830a4f8b42fd18ceaefcdc2c225be1efd9e00e',
+              })
+          })
+
             describe('should sign request without hoisting some headers', () => {
                 const options = JSON.parse(JSON.stringify(presigningOptions))
                 options.unhoistableHeaders = new Set(['x-amz-not-hoisted'])