Add whitelist_headers to client config

aws · Jul 19, 2016 · 6777835 · 6777835
1 parent a6d68a3
commit 6777835
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 9 deletions.
diff --git a/aws-sdk-core/lib/aws-sdk-core.rb b/aws-sdk-core/lib/aws-sdk-core.rb
@@ -171,6 +171,7 @@ module Plugins
     autoload :ParamValidator, 'aws-sdk-core/plugins/param_validator'
     autoload :RegionalEndpoint, 'aws-sdk-core/plugins/regional_endpoint'
     autoload :ResponsePaging, 'aws-sdk-core/plugins/response_paging'
+    autoload :WhitelistHeaders, 'aws-sdk-core/plugins/sigv4_whitelist_headers'
     autoload :RequestSigner, 'aws-sdk-core/plugins/request_signer'
     autoload :RetryErrors, 'aws-sdk-core/plugins/retry_errors'
     autoload :Route53IdFix, 'aws-sdk-core/plugins/route_53_id_fix'

diff --git a/aws-sdk-core/lib/aws-sdk-core/client.rb b/aws-sdk-core/lib/aws-sdk-core/client.rb
@@ -12,6 +12,7 @@ class Client < Seahorse::Client::Base
       'Aws::Plugins::RetryErrors',
       'Aws::Plugins::GlobalConfiguration',
       'Aws::Plugins::RegionalEndpoint',
+      'Aws::Plugins::WhitelistHeaders',
       'Aws::Plugins::RequestSigner',
       'Aws::Plugins::ResponsePaging',
       'Aws::Plugins::StubResponses',

diff --git a/aws-sdk-core/lib/aws-sdk-core/plugins/ec2_copy_encrypted_snapshot.rb b/aws-sdk-core/lib/aws-sdk-core/plugins/ec2_copy_encrypted_snapshot.rb
@@ -74,7 +74,10 @@ def new_endpoint(context)
         end
 
         def presigned_url(http_request, config)
-          signer = Signers::V4.new(config.credentials, 'ec2', config.region)
+          signer = Signers::V4.new(
+            config.credentials, 'ec2',
+            config.region, config.whitelist_headers
+          )
           signer.presigned_url(http_request, expires_in: 3600)
         end
 

diff --git a/aws-sdk-core/lib/aws-sdk-core/plugins/s3_request_signer.rb b/aws-sdk-core/lib/aws-sdk-core/plugins/s3_request_signer.rb
@@ -125,7 +125,9 @@ def update_region_header(context, region)
           context.http_request.headers.delete('authorization')
           context.http_request.headers.delete('x-amz-security-token')
           context.http_request.endpoint.host = new_hostname(context, region)
-          signer = Signers::V4.new(context.config.credentials, 's3', region)
+          signer = Signers::V4.new(
+            context.config.credentials, 's3', region, context.config.whitelist_headers
+          )
           signer.sign(context.http_request)
         end
 

diff --git a/aws-sdk-core/lib/aws-sdk-core/plugins/sigv4_whitelist_headers.rb b/aws-sdk-core/lib/aws-sdk-core/plugins/sigv4_whitelist_headers.rb
@@ -0,0 +1,20 @@
+module Aws
+  module Plugins
+
+    # @seahorse.client.option [Array] :whitelist_headers ([])
+    # headers value provided in :whitelist_option will escape
+    # blacklis_header check in v4 signer
+    class WhitelistHeaders < Seahorse::Client::Plugin
+
+      option(:whitelist_headers, [])
+
+      class Handler < Seahorse::Client::Handler
+
+        def add_handlers(handlers, config)
+          handlers.add(Handler, step: :sign)
+        end
+
+      end
+    end
+  end
+end
diff --git a/aws-sdk-core/lib/aws-sdk-core/s3/presigner.rb b/aws-sdk-core/lib/aws-sdk-core/s3/presigner.rb
@@ -97,7 +97,7 @@ def sign_but_dont_send(req, expires_in, scheme)
           end
           signer = Signers::V4.new(
             context.config.credentials, 's3',
-            context.config.region
+            context.config.region, context.config.whitelist_headers
           )
           url = signer.presigned_url(
             context.http_request,

diff --git a/aws-sdk-core/lib/aws-sdk-core/signers/v4.rb b/aws-sdk-core/lib/aws-sdk-core/signers/v4.rb
@@ -29,7 +29,8 @@ def self.sign(context)
         new(
           context.config.credentials,
           context.config.sigv4_name,
-          context.config.sigv4_region
+          context.config.sigv4_region,
+          context.config.whitelist_headers
         ).sign(context.http_request)
       end
 
@@ -44,11 +45,7 @@ def initialize(credentials, service_name, region, whitelist_headers = [])
         @service_name = service_name
         @credentials = credentials.credentials
         @region = EndpointProvider.signing_region(region, service_name)
-        if whitelist_headers.any? && (BLACKLIST_HEADERS & whitelist_headers).any?
-          @blacklist = BLACKLIST_HEADERS - whitelist_headers
-        else
-          @blacklist = BLACKLIST_HEADERS
-        end
+        @blacklist = BLACKLIST_HEADERS - whitelist_headers
       end
 
       # @param [Seahorse::Client::Http::Request] req

diff --git a/aws-sdk-core/spec/aws/plugins/sigv4_whitelist_headers_spec.rb b/aws-sdk-core/spec/aws/plugins/sigv4_whitelist_headers_spec.rb
@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+module Aws
+  module Plugins
+    describe WhitelistHeaders do
+
+      let(:plugin) { WhitelistHeaders.new }
+
+      let(:config) { Seahorse::Client::Configuration.new }
+
+      describe 'sigv4 whitelist headers' do
+
+        it 'accepts a sigv4 whitelist headers configuration option' do
+          plugin.add_options(config)
+          expect(
+            config.build!(whitelist_headers: ['foo', 'bar']).whitelist_headers
+          ).to eq(['foo', 'bar'])
+        end
+
+        it 'defaults the sig4 whitelist headers to an empty array' do
+          plugin.add_options(config)
+          expect(config.build!.whitelist_headers).to eq([])
+        end
+
+      end
+    end
+  end
+end