Conversation
Signed-off-by: Rex Chang <chiyc@amazon.com>
|
working on doc changes now |
| // <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details. | ||
| bool use_unsigned_payload = 4; | ||
|
|
||
| // A given header that matches any of the configured matchers will not be signed. |
There was a problem hiding this comment.
Let's rephrase this. I propose:
A list of request headers that will be excluded from signing.
You might expand a bit on the matcher implementation (haven't gotten that far yet) on whether these are prefix matchers etc.
There was a problem hiding this comment.
expanded and added an example.
abaptiste
left a comment
abaptiste
left a comment
There was a problem hiding this comment.
Overall looks good. Had a few comments.
ci/run_envoy_docker.sh
Outdated
| -e SYSTEM_STAGEDISPLAYNAME \ | ||
| -e SYSTEM_JOBDISPLAYNAME \ | ||
| -e SYSTEM_PULLREQUEST_PULLREQUESTNUMBER \ | ||
| -e GOPROXY=direct \ |
There was a problem hiding this comment.
Let's omit this. It may not be applicable to Envoy, and is a direct artifact of building in our environment
source/extensions/common/aws/BUILD
Outdated
| "//source/common/buffer:buffer_lib", | ||
| "//source/common/common:hex_lib", | ||
| "//source/common/common:logger_lib", | ||
| "//source/common/common:matchers_lib", |
There was a problem hiding this comment.
Wouldn't the signer library get the matchers_lib from including :utility_lib? Can you double check this and see if things still build and work without this line.
There was a problem hiding this comment.
nice catch! that can be removed indeed.
| SignerImpl(absl::string_view service_name, absl::string_view region, | ||
| const CredentialsProviderSharedPtr& credentials_provider, TimeSource& time_source) | ||
| const CredentialsProviderSharedPtr& credentials_provider, TimeSource& time_source, | ||
| const std::vector<envoy::type::matcher::v3::StringMatcher>& matcher_config) |
There was a problem hiding this comment.
I suggest changing this so that you consume the vector of matcher pointers from the config when the signer is instantiated.
If this doesn't make sense because of lambda, and gRPC, then "this is fine" :)
There was a problem hiding this comment.
I started with this but it seemed simpler to only handle the conversion between the proto and matcher pointer once in the Signer class, vs repeating them in the request signing, lamda, and grpc iam filters.
| // proxies | ||
| const auto key = entry.key().getStringView(); | ||
| if (key == Http::Headers::get().ForwardedFor.get() || | ||
| key == Http::Headers::get().ForwardedProto.get() || key == "x-amzn-trace-id" || |
There was a problem hiding this comment.
Is there any way we can add x-amzn-trace-id as a default entry in the excluded headers?
Or even pre-populate the excluded headers with the XFF headers and amazon trace header?
I don't have strong feelings either way. I think it'd make this block a bit cleaner.
There was a problem hiding this comment.
opted to provide a default exclusion list in the signer constructor.
| auto signer = std::make_unique<Common::Aws::SignerImpl>( | ||
| config.service_name(), getRegion(config), credentials_provider, api.timeSource()); | ||
| config.service_name(), getRegion(config), credentials_provider, api.timeSource(), | ||
| std::vector<envoy::type::matcher::v3::StringMatcher>{}); |
There was a problem hiding this comment.
I suggest having a type defined for std::vector<envoy::type::matcher::v3::StringMatcher> perhaps:
using AwsSigV4HeaderExclusionVector = std::vector<envoy::type::matcher::v3::StringMatcher>;
That way you have a angle bracket less type (AwsSigV4HeaderExclusionVector) you can use throughout the implementation.
You might also have a hardcoded static entry for an empty vector? This last bit isn't a hard requirement.
| prefix: [x-envoy] | ||
| exact: [foo] |
There was a problem hiding this comment.
As I mentioned earlier in the proto file, let's add a bit of details as to how a user can specify a header and what sort of matcher we support.
Signed-off-by: Rex Chang <chiyc@amazon.com>
| match_excluded_headers: | ||
| - prefix: x-envoy | ||
| - prefix: x-forwarded | ||
| - exact: x-amzn-trace-id |
| std::vector<Matchers::StringMatcherPtr> default_excluded_headers{}; | ||
| for (const auto& header : default_excluded_headers_) { |
There was a problem hiding this comment.
The default_excluded_headers objects are really closely named. Don't really have a suggestion here other than something that disambiguates these a bit more.
There was a problem hiding this comment.
renamed to matcher_ptrs to better reflect the return type
abaptiste
left a comment
abaptiste
left a comment
There was a problem hiding this comment.
One minor change suggested. Looks good!
Signed-off-by: Rex Chang <chiyc@amazon.com> * extends aws request signing filter with header exclusion list Signed-off-by: Rex Chang <chiyc@amazon.com> aws_request_signing: extend api to allow header exclusion (#1) * extends aws request signing filter with header exclusion list Signed-off-by: Rex Chang <chiyc@amazon.com> Signed-off-by: Rex Chang <58710378+rexnp@users.noreply.github.com>
2 participants
Commit Message: extends aws request signing filter with header exclusion list.
Additional Description:
Risk Level: Low
Testing: unit tests
Docs Changes: Pending
Release Notes: Pending
Platform Specific Features: N/A
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]
Fixes envoyproxy#18695