FX: constructing v4 query auth signature with proxyPath

2020-09-10 15:21:52 +02:00
3 changed files with 54 additions and 0 deletions
--- a/lib/auth/v4/headerAuthCheck.js
+++ b/lib/auth/v4/headerAuthCheck.js
@ -127,6 +127,17 @@ function check(request, log, data, awsService) {
        return { err: errors.RequestTimeTooSkewed };
    }

+    let proxyPath = null;
+    if (request.headers.proxy_path) {
+        try {
+            proxyPath = decodeURIComponent(request.headers.proxy_path);
+        } catch (err) {
+            log.debug('invalid proxy_path header', { proxyPath, err });
+            return { err: errors.InvalidArgument.customizeDescription(
+              'invalid proxy_path header') };
+        }
+    }
+
    const stringToSign = constructStringToSign({
        log,
        request,
@ -136,6 +147,7 @@ function check(request, log, data, awsService) {
        timestamp,
        payloadChecksum,
        awsService: service,
+        proxyPath,
    });
    log.trace('constructed stringToSign', { stringToSign });
    if (stringToSign instanceof Error) {
--- a/lib/auth/v4/queryAuthCheck.js
+++ b/lib/auth/v4/queryAuthCheck.js
@ -62,6 +62,17 @@ function check(request, log, data) {
        return { err: errors.RequestTimeTooSkewed };
    }

+    let proxyPath = null;
+    if (request.headers.proxy_path) {
+        try {
+            proxyPath = decodeURIComponent(request.headers.proxy_path);
+        } catch (err) {
+            log.debug('invalid proxy_path header', { proxyPath });
+            return { err: errors.InvalidArgument.customizeDescription(
+              'invalid proxy_path header') };
+        }
+    }
+
    // In query v4 auth, the canonical request needs
    // to include the query params OTHER THAN
    // the signature so create a
@ -87,6 +98,7 @@ function check(request, log, data) {
        credentialScope:
            `${scopeDate}/${region}/${service}/${requestType}`,
        awsService: service,
+        proxyPath,
    });
    if (stringToSign instanceof Error) {
        return { err: stringToSign };
--- a/tests/unit/auth/v4/queryAuthCheck.js
+++ b/tests/unit/auth/v4/queryAuthCheck.js
@ -225,4 +225,34 @@ describe('v4 queryAuthCheck', () => {
        assert.strictEqual(res.params.version, 4);
        done();
    });
+
+    it('should successfully return no error if proxy_path header is added',
+    done => {
+        // Freezes time so date created within function will be Feb 8, 2016
+        const clock = lolex.install(1454974984001);
+        /* eslint-disable camelcase */
+        const alteredRequest = createAlteredRequest({ proxy_path:
+        'proxy/1234' }, 'headers', request, query);
+        /* eslint-enable camelcase */
+        const res = queryAuthCheck(alteredRequest, log, alteredRequest.query);
+        clock.uninstall();
+        assert.deepStrictEqual(res.err, null);
+        done();
+    });
+
+    it('should return InvalidRequest error if proxy_path header is invalid',
+    done => {
+        // Freezes time so date created within function will be Feb 8, 2016
+        const clock = lolex.install(1454974984001);
+        /* eslint-disable camelcase */
+        const alteredRequest = createAlteredRequest({ proxy_path:
+        'absc%2proxy/1234' }, 'headers', request, query);
+        /* eslint-enable camelcase */
+        const res = queryAuthCheck(alteredRequest, log, alteredRequest.query);
+        clock.uninstall();
+        assert.deepStrictEqual(res.err,
+            errors.InvalidArgument.customizeDescription(
+            'invalid proxy_path header'));
+        done();
+    });
 });