New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
providers/aws: Refactor + fix 2x Authorization header append issue. #5475
providers/aws: Refactor + fix 2x Authorization header append issue. #5475
Conversation
This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind open-policy-agent#5472. The underlying problem for open-policy-agent#5472 was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: open-policy-agent#5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
c6e8d3c
to
d514932
Compare
Looks like the |
I have tested this with some config that looks like this:
( Without these changes, I get the following error repeated in the consule:
After building from this branch I no longer see these errors and see that my bundle code is loaded as expected (visible in |
Thanks for testing the PR out @charlieegan3! 😃 |
…pen-policy-agent#5475) This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind open-policy-agent#5472. The underlying problem for was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: open-policy-agent#5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com> (cherry picked from commit 1d1cb35)
…5475) This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind #5472. The underlying problem for was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: #5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com> (cherry picked from commit 1d1cb35)
This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind #5472. The underlying problem for #5472 was that the
"Authorization"
header was being appended twice to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map.This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized.
We now test for this exact condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the
"Authorization"
header, reducing the potential for this mistake to happen in the future.Fixes: #5472