Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

aws_request_signing_filter hash payload by default (#15846)

Browse Source 
canonical must include the hashed payload for most services. The prior
behavior of using UNSIGNED-PAYLOAD is an exception to the rule, which
select services like s3 support, since hashing the payload may be
impractical if the payload is very large.

A new filter option is introduced, so that the filter may be explicitly
configured to use the UNSIGNED-PAYLOAD string literal as specified
in the S3 signing docs:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

fixes #13904

Additional Description:
The original implementation was seemingly very specific to S3 and was subsequently amended to extend the same niche singing behaviors for ES and Glacier. This changes the filter's default behavior to match the general SigV4 guidelines while providing a configuration option to enable the specialized UNSIGNED-PAYLOAD behavior.

https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

Risk Level: Medium?

Deployments using the filter will now buffer requests by default, which could result in 413 responses for requests with bodies exceeding the buffer limit. These users can mitigate buffering by enabling the `unsigned_payload` option.

Testing:

I tested locally with a filter config. I anticipate updating the automated tests based on feedback from maintainers.

Docs Changes: Added

Signed-off-by: Jonathan Stewmon <jstewmon@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 80e1ca899e3170c8f87dfd300c9c5dacc76d100b
pull/624/head
data-plane-api(Azure Pipelines) 4 years ago
parent e84aeb9194
commit 323a64b103
1 changed files with 5 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

5
envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
Unescape View File

@ -43,4 +43,9 @@ message AwsRequestSigning {
// value set here would be used for signing whereas the value set in the HCM would be used
// for host header forwarding which is not the desired outcome.
string host_rewrite = 3;
// Instead of buffering the request to calculate the payload hash, use the literal string ``UNSIGNED-PAYLOAD``
// to calculate the payload hash. Not all services support this option. See the `S3
// <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
bool use_unsigned_payload = 4;
}

Write Preview
Loading…
Cancel
Save