FX: constructing v4 query auth signature with proxyPath

lib/auth/v4/headerAuthCheck.js

@@ -127,6 +127,17 @@ function check(request, log, data, awsService) {
         return { err: errors.RequestTimeTooSkewed };
     }
 
+    let proxyPath = null;
+    if (request.headers.proxy_path) {
+        try {
+            proxyPath = decodeURIComponent(request.headers.proxy_path);
+        } catch (err) {
+            log.debug('invalid proxy_path header', { proxyPath, err });
+            return { err: errors.InvalidArgument.customizeDescription(
+              'invalid proxy_path header') };
+        }
+    }
+
     const stringToSign = constructStringToSign({
         log,
         request,
@@ -136,6 +147,7 @@ function check(request, log, data, awsService) {
         timestamp,
         payloadChecksum,
         awsService: service,
+        proxyPath,
     });
     log.trace('constructed stringToSign', { stringToSign });
     if (stringToSign instanceof Error) {

lib/auth/v4/queryAuthCheck.js

@@ -62,6 +62,17 @@ function check(request, log, data) {
         return { err: errors.RequestTimeTooSkewed };
     }
 
+    let proxyPath = null;
+    if (request.headers.proxy_path) {
+        try {
+            proxyPath = decodeURIComponent(request.headers.proxy_path);
+        } catch (err) {
+            log.debug('invalid proxy_path header', { proxyPath });
+            return { err: errors.InvalidArgument.customizeDescription(
+              'invalid proxy_path header') };
+        }
+    }
+
     // In query v4 auth, the canonical request needs
     // to include the query params OTHER THAN
     // the signature so create a
@@ -87,6 +98,7 @@ function check(request, log, data) {
         credentialScope:
             `${scopeDate}/${region}/${service}/${requestType}`,
         awsService: service,
+        proxyPath,
     });
     if (stringToSign instanceof Error) {
         return { err: stringToSign };

tests/unit/auth/v4/queryAuthCheck.js

@@ -225,4 +225,34 @@ describe('v4 queryAuthCheck', () => {
         assert.strictEqual(res.params.version, 4);
         done();
     });
+
+    it('should successfully return no error if proxy_path header is added',
+    done => {
+        // Freezes time so date created within function will be Feb 8, 2016
+        const clock = lolex.install(1454974984001);
+        /* eslint-disable camelcase */
+        const alteredRequest = createAlteredRequest({ proxy_path:
+        'proxy/1234' }, 'headers', request, query);
+        /* eslint-enable camelcase */
+        const res = queryAuthCheck(alteredRequest, log, alteredRequest.query);
+        clock.uninstall();
+        assert.deepStrictEqual(res.err, null);
+        done();
+    });
+
+    it('should return InvalidRequest error if proxy_path header is invalid',
+    done => {
+        // Freezes time so date created within function will be Feb 8, 2016
+        const clock = lolex.install(1454974984001);
+        /* eslint-disable camelcase */
+        const alteredRequest = createAlteredRequest({ proxy_path:
+        'absc%2proxy/1234' }, 'headers', request, query);
+        /* eslint-enable camelcase */
+        const res = queryAuthCheck(alteredRequest, log, alteredRequest.query);
+        clock.uninstall();
+        assert.deepStrictEqual(res.err,
+            errors.InvalidArgument.customizeDescription(
+            'invalid proxy_path header'));
+        done();
+    });
 });