From 323a64b103f8744b65290138515c3fba6967e7cb Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Wed, 12 May 2021 21:58:57 +0000
Subject: [PATCH] aws_request_signing_filter hash payload by default (#15846)

canonical must include the hashed payload for most services. The prior
behavior of using UNSIGNED-PAYLOAD is an exception to the rule, which
select services like s3 support, since hashing the payload may be
impractical if the payload is very large.

A new filter option is introduced, so that the filter may be explicitly
configured to use the UNSIGNED-PAYLOAD string literal as specified
in the S3 signing docs:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

fixes #13904

Additional Description:
The original implementation was seemingly very specific to S3 and was subsequently amended to extend the same niche singing behaviors for ES and Glacier. This changes the filter's default behavior to match the general SigV4 guidelines while providing a configuration option to enable the specialized UNSIGNED-PAYLOAD behavior.

https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

Risk Level: Medium?

Deployments using the filter will now buffer requests by default, which could result in 413 responses for requests with bodies exceeding the buffer limit. These users can mitigate buffering by enabling the `unsigned_payload` option.

Testing:

I tested locally with a filter config. I anticipate updating the automated tests based on feedback from maintainers.

Docs Changes: Added

Signed-off-by: Jonathan Stewmon <jstewmon@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 80e1ca899e3170c8f87dfd300c9c5dacc76d100b
---
 .../http/aws_request_signing/v3/aws_request_signing.proto    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto b/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
index 215c7414..ae464001 100644
--- a/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
+++ b/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
@@ -43,4 +43,9 @@ message AwsRequestSigning {
   // value set here would be used for signing whereas the value set in the HCM would be used
   // for host header forwarding which is not the desired outcome.
   string host_rewrite = 3;
+
+  // Instead of buffering the request to calculate the payload hash, use the literal string ``UNSIGNED-PAYLOAD``
+  // to calculate the payload hash. Not all services support this option. See the `S3
+  // <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
+  bool use_unsigned_payload = 4;
 }