Merge branch 'bugfix/ARSN-387-ssl-check-fix' into tmp/octopus/w/7.70/bugfix/ARSN-387-ssl-check-fix

fixup: update test
ARSN-387: update test
2024-03-11 11:25:17 +00:00 · 2024-03-06 10:35:00 +01:00 · 2024-03-06 10:34:59 +01:00 · 2024-03-06 10:34:58 +01:00
3 changed files with 8 additions and 4 deletions
--- a/lib/policyEvaluator/utils/conditions.ts
+++ b/lib/policyEvaluator/utils/conditions.ts
@ -61,7 +61,7 @@ export function findConditionKey(
    case 'aws:referer': return headers.referer;
    // aws:SecureTransport – Used to check whether the request was sent
    // using SSL (see Boolean Condition Operators).
-    case 'aws:SecureTransport': return requestContext.getSslEnabled() ? 'true' : 'false';
+    case 'aws:SecureTransport': return headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false';
    // aws:SourceArn – Used check the source of the request,
    // using the ARN of the source. N/A here.
    case 'aws:SourceArn': return undefined;
--- a/lib/policyEvaluator/utils/variables.ts
+++ b/lib/policyEvaluator/utils/variables.ts
@ -38,7 +38,7 @@ function findVariable(variable: string, requestContext: RequestContext): string
    // aws:SecureTransport is boolean value that represents whether the
    // request was sent using SSL
    map.set('aws:SecureTransport',
-        requestContext.getSslEnabled() ? 'true' : 'false');
+        headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false');
    // aws:SourceIp is requester's IP address, for use with IP address
    // conditions
    map.set('aws:SourceIp', requestContext.getRequesterIp());
--- a/tests/unit/policyEvaluator.spec.js
+++ b/tests/unit/policyEvaluator.spec.js
@ -906,7 +906,9 @@ describe('policyEvaluator', () => {
            () => {
                policy.Statement.Condition = { Bool:
                        { 'aws:SecureTransport': 'true' } };
-                const rcModifiers = { _sslEnabled: false };
+                const rcModifiers = { _headers: {
                    'x-forwarded-proto': 'http',
                } };
                check(requestContext, rcModifiers, policy, 'Neutral');
            });
@ -915,7 +917,9 @@ describe('policyEvaluator', () => {
            () => {
                policy.Statement.Condition = { Bool:
                        { 'aws:SecureTransport': 'true' } };
-                const rcModifiers = { _sslEnabled: true };
+                const rcModifiers = { _headers: {
                    'x-forwarded-proto': 'https',
                } };
                check(requestContext, rcModifiers, policy, 'Allow');
            });
Author	SHA1	Message	Date
bert-e	8da8d395d9	Merge branch 'bugfix/ARSN-387-ssl-check-fix' into tmp/octopus/w/7.70/bugfix/ARSN-387-ssl-check-fix	2024-03-11 11:25:17 +00:00
Will Toozs	0466eb4d82	fixup: update test	2024-03-06 10:35:00 +01:00
Will Toozs	8edd2f1c0c	ARSN-387: update test	2024-03-06 10:34:59 +01:00
Will Toozs	9e3e723fb7	ARSN-387: check for forwarded proto header	2024-03-06 10:34:58 +01:00