Compare commits

...

4 Commits

Author SHA1 Message Date
bert-e 8da8d395d9 Merge branch 'bugfix/ARSN-387-ssl-check-fix' into tmp/octopus/w/7.70/bugfix/ARSN-387-ssl-check-fix 2024-03-11 11:25:17 +00:00
Will Toozs 0466eb4d82
fixup: update test 2024-03-06 10:35:00 +01:00
Will Toozs 8edd2f1c0c
ARSN-387: update test 2024-03-06 10:34:59 +01:00
Will Toozs 9e3e723fb7
ARSN-387: check for forwarded proto header 2024-03-06 10:34:58 +01:00
3 changed files with 8 additions and 4 deletions

View File

@ -61,7 +61,7 @@ export function findConditionKey(
case 'aws:referer': return headers.referer; case 'aws:referer': return headers.referer;
// aws:SecureTransport Used to check whether the request was sent // aws:SecureTransport Used to check whether the request was sent
// using SSL (see Boolean Condition Operators). // using SSL (see Boolean Condition Operators).
case 'aws:SecureTransport': return requestContext.getSslEnabled() ? 'true' : 'false'; case 'aws:SecureTransport': return headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false';
// aws:SourceArn Used check the source of the request, // aws:SourceArn Used check the source of the request,
// using the ARN of the source. N/A here. // using the ARN of the source. N/A here.
case 'aws:SourceArn': return undefined; case 'aws:SourceArn': return undefined;

View File

@ -38,7 +38,7 @@ function findVariable(variable: string, requestContext: RequestContext): string
// aws:SecureTransport is boolean value that represents whether the // aws:SecureTransport is boolean value that represents whether the
// request was sent using SSL // request was sent using SSL
map.set('aws:SecureTransport', map.set('aws:SecureTransport',
requestContext.getSslEnabled() ? 'true' : 'false'); headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false');
// aws:SourceIp is requester's IP address, for use with IP address // aws:SourceIp is requester's IP address, for use with IP address
// conditions // conditions
map.set('aws:SourceIp', requestContext.getRequesterIp()); map.set('aws:SourceIp', requestContext.getRequesterIp());

View File

@ -906,7 +906,9 @@ describe('policyEvaluator', () => {
() => { () => {
policy.Statement.Condition = { Bool: policy.Statement.Condition = { Bool:
{ 'aws:SecureTransport': 'true' } }; { 'aws:SecureTransport': 'true' } };
const rcModifiers = { _sslEnabled: false }; const rcModifiers = { _headers: {
'x-forwarded-proto': 'http',
} };
check(requestContext, rcModifiers, policy, 'Neutral'); check(requestContext, rcModifiers, policy, 'Neutral');
}); });
@ -915,7 +917,9 @@ describe('policyEvaluator', () => {
() => { () => {
policy.Statement.Condition = { Bool: policy.Statement.Condition = { Bool:
{ 'aws:SecureTransport': 'true' } }; { 'aws:SecureTransport': 'true' } };
const rcModifiers = { _sslEnabled: true }; const rcModifiers = { _headers: {
'x-forwarded-proto': 'https',
} };
check(requestContext, rcModifiers, policy, 'Allow'); check(requestContext, rcModifiers, policy, 'Allow');
}); });