Expand skipped headers for sigv4 canonical request signing to include…

… x-amzn-trace-id and authorization headers.
smithy-lang · Jun 28, 2023 · 3ef5a9c · 3ef5a9c
1 parent 8663237
commit 3ef5a9c
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 15 deletions.
diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml
@@ -12,9 +12,9 @@
 # author = "rcoh"
 
  [[aws-sdk-rust]]
- message = "Automatically exclude x-ray trace id headers and authorization headers from Sigv4 canonical request calculations."
- references = ["smithy-rs#2813"]
- meta = { "breaking" = false, "tada" = false, "bug" = false }
+ message = "Automatically exclude X-Ray trace ID headers and authorization headers from SigV4 canonical request calculations."
+ references = ["smithy-rs#2815"]
+ meta = { "breaking" = false, "tada" = false, "bug" = true }
  author = "relevantsam"
 
  [[aws-sdk-rust]]

diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs
@@ -774,6 +774,36 @@ mod tests {
         assert_eq!(creq.values.signed_headers().as_str(), "host;x-amz-date");
     }
 
+    // It should exclude authorization, user-agent, x-amzn-trace-id headers from presigning
+    #[test]
+    fn non_presigning_header_exclusion() {
+        let request = http::Request::builder()
+            .uri("https://some-endpoint.some-region.amazonaws.com")
+            .header("authorization", "test-authorization")
+            .header("content-type", "application/xml")
+            .header("content-length", "0")
+            .header("user-agent", "test-user-agent")
+            .header("x-amzn-trace-id", "test-trace-id")
+            .header("x-amz-user-agent", "test-user-agent")
+            .body("")
+            .unwrap();
+        let request = SignableRequest::from(&request);
+
+        let settings = SigningSettings {
+            signature_location: SignatureLocation::Headers,
+            ..Default::default()
+        };
+
+        let signing_params = signing_params(settings);
+        let canonical = CanonicalRequest::from(&request, &signing_params).unwrap();
+
+        let values = canonical.values.as_headers().unwrap();
+        assert_eq!(
+            "content-length;content-type;host;x-amz-date;x-amz-user-agent",
+            values.signed_headers.as_str()
+        );
+    }
+
     // It should exclude authorization, user-agent, x-amz-user-agent, x-amzn-trace-id headers from presigning
     #[test]
     fn presigning_header_exclusion() {

diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs b/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs
@@ -9,7 +9,7 @@ use std::time::Duration;
 /// HTTP signing parameters
 pub type SigningParams<'a> = crate::SigningParams<'a, SigningSettings>;
 
-const X_RAY_TRACE_HEADER: &str = "x-amzn-trace-id";
+const HEADER_NAME_X_RAY_TRACE_ID: &str = "x-amzn-trace-id";
 
 /// HTTP-specific signing settings
 #[derive(Debug, PartialEq)]
@@ -105,22 +105,24 @@ impl Default for SigningSettings {
         // Java SDK: <https://github.com/aws/aws-sdk-java-v2/blob/master/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L70>
         // JS SDK: <https://github.com/aws/aws-sdk-js/blob/master/lib/signers/v4.js#L191>
         // There is no single source of truth for these available, so this uses the minimum common set of the excluded options.
-        let excluded_headers: Vec<HeaderName> = [
-            // This header is calculated as part of the signing process, so if it's present, discard it
-            AUTHORIZATION,
-            // Changes when sent by proxy
-            USER_AGENT,
-            // Changes based on the request from the client
-            HeaderName::from_static(X_RAY_TRACE_HEADER),
-        ]
-        .to_vec();
-
+        // Instantiate this every time, because SigningSettings takes a Vec (which cannot be const);
+        let excluded_headers = Some(
+            [
+                // This header is calculated as part of the signing process, so if it's present, discard it
+                AUTHORIZATION,
+                // Changes when sent by proxy
+                USER_AGENT,
+                // Changes based on the request from the client
+                HeaderName::from_static(HEADER_NAME_X_RAY_TRACE_ID),
+            ]
+            .to_vec(),
+        );
         Self {
             percent_encoding_mode: PercentEncodingMode::Double,
             payload_checksum_kind: PayloadChecksumKind::NoHeader,
             signature_location: SignatureLocation::Headers,
             expires_in: None,
-            excluded_headers: Some(excluded_headers),
+            excluded_headers,
             uri_path_normalization_mode: UriPathNormalizationMode::Enabled,
             session_token_mode: SessionTokenMode::Include,
         }