smithy-lang · jdisanti · May 16, 2022 · May 10, 2022 · May 12, 2022 · May 12, 2022
@@ -9,4 +9,10 @@
 # message = "Fix typos in module documentation for generated crates"
 # references = ["smithy-rs#920"]
 # meta = { "breaking" = false, "tada" = false, "bug" = false }
-# author = "rcoh"
+# author = "rcoh"
+
+[[smithy-rs]]
+message = "Add ability to sign a request with all headers, or to change which headers are excluded from signing"
+references = ["smithy-rs#1381"]
+meta = { "breaking" = false, "tada" = true, "bug" = false }
+author = "alonlud"
@@ -10,7 +10,7 @@ use crate::http_request::sign::SignableRequest;
 use crate::http_request::url_escape::percent_encode_path;
 use crate::http_request::PercentEncodingMode;
 use crate::sign::sha256_hex_string;
-use http::header::{HeaderName, HOST, USER_AGENT};
+use http::header::{HeaderName, HOST};
 use http::{HeaderMap, HeaderValue, Method, Uri};
 use std::borrow::Cow;
 use std::cmp::Ordering;
@@ -218,10 +218,12 @@ impl<'a> CanonicalRequest<'a> {
 
         let mut signed_headers = Vec::with_capacity(canonical_headers.len());
         for (name, _) in &canonical_headers {
-            // The user agent header should not be signed because it may be altered by proxies
-            if name == USER_AGENT {
-                continue;
+            if let Some(excluded_headers) = params.settings.excluded_headers.as_ref() {
+                if excluded_headers.contains(name) {
+                    continue;
+                }
             }
+
             if params.settings.signature_location == SignatureLocation::QueryParams {
                 // The X-Amz-User-Agent header should not be signed if this is for a presigned URL
                 if name == HeaderName::from_static(header::X_AMZ_USER_AGENT) {

@@ -3,6 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+use http::header::{HeaderName, USER_AGENT};
 use std::time::Duration;
 
 /// HTTP signing parameters
@@ -25,6 +26,9 @@ pub struct SigningSettings {
 
     /// For presigned requests, how long the presigned request is valid for
     pub expires_in: Option<Duration>,
+
+    /// Headers that should be excluded from the signing process
+    pub excluded_headers: Option<Vec<HeaderName>>,
 }
 
 /// HTTP payload checksum type
@@ -59,11 +63,15 @@ pub enum PercentEncodingMode {
 
 impl Default for SigningSettings {
     fn default() -> Self {
+        // The user agent header should not be signed because it may be altered by proxies
+        const EXCLUDED_HEADERS: [HeaderName; 1] = [USER_AGENT];
+
         Self {
             percent_encoding_mode: PercentEncodingMode::Double,
             payload_checksum_kind: PayloadChecksumKind::NoHeader,
             signature_location: SignatureLocation::Headers,
             expires_in: None,
+            excluded_headers: Some(EXCLUDED_HEADERS.to_vec()),
         }
     }
 }